Changed cmd_reload to arrange windows post reload #9

Luminarys · 2015-08-10T19:39:10Z

No description provided.

Changed cmd_reload to arrange windows post reload

ddevault · 2015-08-10T19:39:35Z

Thanks!

Fixes this kind of use-after-free: ==1795==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000191ef0 at pc 0x00000048c388 bp 0x7ffe308f0410 sp 0x7ffe308f0400 WRITE of size 8 at 0x612000191ef0 thread T0 #0 0x48c387 in wl_list_remove ../common/list.c:157 swaywm#1 0x42196b in handle_destroy ../sway/desktop/layer_shell.c:275 swaywm#2 0x7f55cc2549fa in wlr_signal_emit_safe ../util/signal.c:29 swaywm#3 0x7f55cc22cf68 in layer_surface_destroy ../types/wlr_layer_shell.c:182 swaywm#4 0x7f55cc22d084 in layer_surface_resource_destroy ../types/wlr_layer_shell.c:196 swaywm#5 0x7f55cc4ca025 in destroy_resource src/wayland-server.c:688 swaywm#6 0x7f55cc4ca091 in wl_resource_destroy src/wayland-server.c:705 swaywm#7 0x7f55cc22c3a2 in resource_handle_destroy ../types/wlr_layer_shell.c:18 swaywm#8 0x7f55c8ef103d in ffi_call_unix64 (/lib64/libffi.so.6+0x603d) swaywm#9 0x7f55c8ef09fe in ffi_call (/lib64/libffi.so.6+0x59fe) swaywm#10 0x7f55cc4cdf2c (/lib64/libwayland-server.so.0+0xbf2c) swaywm#11 0x7f55cc4ca3de in wl_client_connection_data src/wayland-server.c:420 swaywm#12 0x7f55cc4cbf01 in wl_event_loop_dispatch src/event-loop.c:641 swaywm#13 0x7f55cc4ca601 in wl_display_run src/wayland-server.c:1260 swaywm#14 0x40bb1e in server_run ../sway/server.c:141 swaywm#15 0x40ab2f in main ../sway/main.c:432 swaywm#16 0x7f55cb97318a in __libc_start_main ../csu/libc-start.c:308 swaywm#17 0x408d29 in _start (/opt/wayland/bin/sway+0x408d29) 0x612000191ef0 is located 48 bytes inside of 312-byte region [0x612000191ec0,0x612000191ff8) freed by thread T0 here: #0 0x7f55ce3bb880 in __interceptor_free (/lib64/libasan.so.5+0xee880) swaywm#1 0x42f1db in handle_destroy ../sway/desktop/output.c:1275 swaywm#2 0x7f55cc2549fa in wlr_signal_emit_safe ../util/signal.c:29 swaywm#3 0x7f55cc23b4c2 in wlr_output_destroy ../types/wlr_output.c:284 swaywm#4 0x7f55cc1ddc20 in xdg_toplevel_handle_close ../backend/wayland/output.c:235 swaywm#5 0x7f55c8ef103d in ffi_call_unix64 (/lib64/libffi.so.6+0x603d) previously allocated by thread T0 here: #0 0x7f55ce3bbe50 in calloc (/lib64/libasan.so.5+0xeee50) swaywm#1 0x42f401 in handle_new_output ../sway/desktop/output.c:1308 swaywm#2 0x7f55cc2549fa in wlr_signal_emit_safe ../util/signal.c:29 swaywm#3 0x7f55cc1d6cbf in new_output_reemit ../backend/multi/backend.c:113 swaywm#4 0x7f55cc2549fa in wlr_signal_emit_safe ../util/signal.c:29 swaywm#5 0x7f55cc1deac7 in wlr_wl_output_create ../backend/wayland/output.c:327 swaywm#6 0x7f55cc1db353 in backend_start ../backend/wayland/backend.c:55 swaywm#7 0x7f55cc1bad55 in wlr_backend_start ../backend/backend.c:35 swaywm#8 0x7f55cc1d67a0 in multi_backend_start ../backend/multi/backend.c:24 swaywm#9 0x7f55cc1bad55 in wlr_backend_start ../backend/backend.c:35 swaywm#10 0x40ba8a in server_run ../sway/server.c:136 swaywm#11 0x40ab2f in main ../sway/main.c:432 swaywm#12 0x7f55cb97318a in __libc_start_main ../csu/libc-start.c:308

That event comes from the toplevel and not the surface, so would cause a use-after-free on destroy if the toplevel got destroyed first: ==5454==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110001ed198 at pc 0x000000472d10 bp 0x7ffc19070a80 sp 0x7ffc19070a70 WRITE of size 8 at 0x6110001ed198 thread T0 #0 0x472d0f in wl_list_remove ../common/list.c:157 swaywm#1 0x42e159 in handle_destroy ../sway/desktop/xdg_shell_v6.c:243 swaywm#2 0x7fa9e5b28ce8 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#3 0x7fa9e5afd6b1 in destroy_xdg_surface_v6 ../types/xdg_shell_v6/wlr_xdg_surface_v6.c:101 swaywm#4 0x7fa9e5d98025 in destroy_resource src/wayland-server.c:688 swaywm#5 0x7fa9e5d98091 in wl_resource_destroy src/wayland-server.c:705 swaywm#6 0x7fa9e27f103d in ffi_call_unix64 (/lib64/libffi.so.6+0x603d) swaywm#7 0x7fa9e27f09fe in ffi_call (/lib64/libffi.so.6+0x59fe) swaywm#8 0x7fa9e5d9bf2c (/lib64/libwayland-server.so.0+0xbf2c) swaywm#9 0x7fa9e5d983de in wl_client_connection_data src/wayland-server.c:420 swaywm#10 0x7fa9e5d99f01 in wl_event_loop_dispatch src/event-loop.c:641 swaywm#11 0x7fa9e5d98601 in wl_display_run src/wayland-server.c:1260 swaywm#12 0x40a2f4 in main ../sway/main.c:433 swaywm#13 0x7fa9e527318a in __libc_start_main ../csu/libc-start.c:308 swaywm#14 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749) 0x6110001ed198 is located 152 bytes inside of 240-byte region [0x6110001ed100,0x6110001ed1f0) freed by thread T0 here: #0 0x7fa9e7c89880 in __interceptor_free (/lib64/libasan.so.5+0xee880) swaywm#1 0x7fa9e5affce9 in destroy_xdg_toplevel_v6 ../types/xdg_shell_v6/wlr_xdg_toplevel_v6.c:23 swaywm#2 0x7fa9e5d98025 in destroy_resource src/wayland-server.c:688 previously allocated by thread T0 here: #0 0x7fa9e7c89e50 in calloc (/lib64/libasan.so.5+0xeee50) swaywm#1 0x7fa9e5b00eea in create_xdg_toplevel_v6 ../types/xdg_shell_v6/wlr_xdg_toplevel_v6.c:427 swaywm#2 0x7fa9e27f103d in ffi_call_unix64 (/lib64/libffi.so.6+0x603d) The toplevel only notifies the compositor on destroy if it was mapped, so only listen to events at map time.

Fixes heap-use-after-free: ==32046==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000064d20 at pc 0x55571ce4d303 bp 0x7fff545c64c0 sp 0x7fff545c64b0 WRITE of size 8 at 0x615000064d20 thread T0 #0 0x55571ce4d302 in xdg_decoration_handle_destroy ../sway/xdg_decoration.c:13 swaywm#1 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#2 0x7f64009d3c46 in toplevel_decoration_handle_resource_destroy ../types/wlr_xdg_decoration_v1.c:65 swaywm#3 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d) swaywm#4 0x7f6400a19fed in wl_resource_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7fed) swaywm#5 0x7f64009d3d1f in toplevel_decoration_handle_surface_destroy ../types/wlr_xdg_decoration_v1.c:82 swaywm#6 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#7 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453 swaywm#8 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483 swaywm#9 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 swaywm#10 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d) swaywm#11 0x7f6400a1e211 (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc211) swaywm#12 0x7f6400a1e6fe (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc6fe) swaywm#13 0x7f6400a1a0ec in wl_client_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x80ec) swaywm#14 0x7f6400a1a1c4 (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x81c4) swaywm#15 0x7f6400a1b941 in wl_event_loop_dispatch (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x9941) swaywm#16 0x7f6400a1a569 in wl_display_run (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x8569) swaywm#17 0x55571ce4c7fd in server_run ../sway/server.c:214 swaywm#18 0x55571ce4ad59 in main ../sway/main.c:405 swaywm#19 0x7f640071109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) swaywm#20 0x55571ce2cfa9 in _start (/usr/local/bin/sway+0x35fa9) 0x615000064d20 is located 32 bytes inside of 504-byte region [0x615000064d00,0x615000064ef8) freed by thread T0 here: #0 0x7f6401531b70 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb70) swaywm#1 0x55571ce6c72b in destroy ../sway/desktop/xdg_shell.c:252 swaywm#2 0x55571cee3f7b in view_destroy ../sway/tree/view.c:60 swaywm#3 0x55571cee4090 in view_begin_destroy ../sway/tree/view.c:73 swaywm#4 0x55571ce6dd95 in handle_destroy ../sway/desktop/xdg_shell.c:464 swaywm#5 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#6 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453 swaywm#7 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483 swaywm#8 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 swaywm#9 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d) previously allocated by thread T0 here: #0 0x7f6401532138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138) swaywm#1 0x55571ce6df39 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:485 swaywm#2 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#3 0x7f64009b0167 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:350 swaywm#4 0x7f64009ce2a5 in surface_commit_pending ../types/wlr_surface.c:372 swaywm#5 0x7f64009ce523 in surface_commit ../types/wlr_surface.c:444 swaywm#6 0x7f63ff63ddad in ffi_call_unix64 (/usr/lib/x86_64-linux-gnu/libffi.so.6+0x5dad)

Fixes heap-use-after-free: ==32046==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000064d20 at pc 0x55571ce4d303 bp 0x7fff545c64c0 sp 0x7fff545c64b0 WRITE of size 8 at 0x615000064d20 thread T0 #0 0x55571ce4d302 in xdg_decoration_handle_destroy ../sway/xdg_decoration.c:13 swaywm#1 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#2 0x7f64009d3c46 in toplevel_decoration_handle_resource_destroy ../types/wlr_xdg_decoration_v1.c:65 swaywm#3 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d) swaywm#4 0x7f6400a19fed in wl_resource_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7fed) swaywm#5 0x7f64009d3d1f in toplevel_decoration_handle_surface_destroy ../types/wlr_xdg_decoration_v1.c:82 swaywm#6 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#7 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453 swaywm#8 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483 swaywm#9 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 swaywm#10 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d) swaywm#11 0x7f6400a1e211 (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc211) swaywm#12 0x7f6400a1e6fe (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc6fe) swaywm#13 0x7f6400a1a0ec in wl_client_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x80ec) swaywm#14 0x7f6400a1a1c4 (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x81c4) swaywm#15 0x7f6400a1b941 in wl_event_loop_dispatch (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x9941) swaywm#16 0x7f6400a1a569 in wl_display_run (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x8569) swaywm#17 0x55571ce4c7fd in server_run ../sway/server.c:214 swaywm#18 0x55571ce4ad59 in main ../sway/main.c:405 swaywm#19 0x7f640071109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) swaywm#20 0x55571ce2cfa9 in _start (/usr/local/bin/sway+0x35fa9) 0x615000064d20 is located 32 bytes inside of 504-byte region [0x615000064d00,0x615000064ef8) freed by thread T0 here: #0 0x7f6401531b70 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb70) swaywm#1 0x55571ce6c72b in destroy ../sway/desktop/xdg_shell.c:252 swaywm#2 0x55571cee3f7b in view_destroy ../sway/tree/view.c:60 swaywm#3 0x55571cee4090 in view_begin_destroy ../sway/tree/view.c:73 swaywm#4 0x55571ce6dd95 in handle_destroy ../sway/desktop/xdg_shell.c:464 swaywm#5 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#6 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453 swaywm#7 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483 swaywm#8 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 swaywm#9 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d) previously allocated by thread T0 here: #0 0x7f6401532138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138) swaywm#1 0x55571ce6df39 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:485 swaywm#2 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#3 0x7f64009b0167 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:350 swaywm#4 0x7f64009ce2a5 in surface_commit_pending ../types/wlr_surface.c:372 swaywm#5 0x7f64009ce523 in surface_commit ../types/wlr_surface.c:444 swaywm#6 0x7f63ff63ddad in ffi_call_unix64 (/usr/lib/x86_64-linux-gnu/libffi.so.6+0x5dad) Fixes swaywm#3759

Fixes heap-use-after-free: ==32046==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000064d20 at pc 0x55571ce4d303 bp 0x7fff545c64c0 sp 0x7fff545c64b0 WRITE of size 8 at 0x615000064d20 thread T0 #0 0x55571ce4d302 in xdg_decoration_handle_destroy ../sway/xdg_decoration.c:13 #1 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 #2 0x7f64009d3c46 in toplevel_decoration_handle_resource_destroy ../types/wlr_xdg_decoration_v1.c:65 #3 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d) #4 0x7f6400a19fed in wl_resource_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7fed) #5 0x7f64009d3d1f in toplevel_decoration_handle_surface_destroy ../types/wlr_xdg_decoration_v1.c:82 #6 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 #7 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453 #8 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483 #9 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 #10 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d) #11 0x7f6400a1e211 (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc211) #12 0x7f6400a1e6fe (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc6fe) #13 0x7f6400a1a0ec in wl_client_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x80ec) #14 0x7f6400a1a1c4 (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x81c4) #15 0x7f6400a1b941 in wl_event_loop_dispatch (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x9941) #16 0x7f6400a1a569 in wl_display_run (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x8569) #17 0x55571ce4c7fd in server_run ../sway/server.c:214 #18 0x55571ce4ad59 in main ../sway/main.c:405 #19 0x7f640071109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) #20 0x55571ce2cfa9 in _start (/usr/local/bin/sway+0x35fa9) 0x615000064d20 is located 32 bytes inside of 504-byte region [0x615000064d00,0x615000064ef8) freed by thread T0 here: #0 0x7f6401531b70 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb70) #1 0x55571ce6c72b in destroy ../sway/desktop/xdg_shell.c:252 #2 0x55571cee3f7b in view_destroy ../sway/tree/view.c:60 #3 0x55571cee4090 in view_begin_destroy ../sway/tree/view.c:73 #4 0x55571ce6dd95 in handle_destroy ../sway/desktop/xdg_shell.c:464 #5 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 #6 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453 #7 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483 #8 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 #9 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d) previously allocated by thread T0 here: #0 0x7f6401532138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138) #1 0x55571ce6df39 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:485 #2 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29 #3 0x7f64009b0167 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:350 #4 0x7f64009ce2a5 in surface_commit_pending ../types/wlr_surface.c:372 #5 0x7f64009ce523 in surface_commit ../types/wlr_surface.c:444 #6 0x7f63ff63ddad in ffi_call_unix64 (/usr/lib/x86_64-linux-gnu/libffi.so.6+0x5dad) Fixes #3759

handle_destroy would mark the output es being destroyed and commit the transaction. Committing the transaction results in the output being freed, the output manager can not retrieve the server reference afterwards, resulting in the following use-after-free: ==22746==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000017088 at pc 0x560c1ac17136 bp 0x7ffeab146f20 sp 0x7ffeab146f10 READ of size 8 at 0x614000017088 thread T0 #0 0x560c1ac17135 in handle_destroy ../sway/desktop/output.c:566 swaywm#1 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 swaywm#2 0x7f38af5d3dfc in drm_connector_cleanup ../subprojects/wlroots/backend/drm/drm.c:1448 swaywm#3 0x7f38af5d2058 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1240 swaywm#4 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135 swaywm#5 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 swaywm#6 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52 swaywm#7 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1) swaywm#8 0x7f38aef5c39b in wl_display_run (/usr/lib/libwayland-server.so.0+0x939b) swaywm#9 0x560c1ac0afbe in server_run ../sway/server.c:225 swaywm#10 0x560c1ac09382 in main ../sway/main.c:397 swaywm#11 0x7f38aed35ce2 in __libc_start_main (/usr/lib/libc.so.6+0x23ce2) swaywm#12 0x560c1abea10d in _start (/usr/local/bin/sway+0x3910d) 0x614000017088 is located 72 bytes inside of 432-byte region [0x614000017040,0x6140000171f0) freed by thread T0 here: #0 0x7f38af82df89 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:66 swaywm#1 0x560c1acbd1ed in output_destroy ../sway/tree/output.c:243 swaywm#2 0x560c1ac23ce5 in transaction_destroy ../sway/desktop/transaction.c:66 swaywm#3 0x560c1ac26b71 in transaction_progress_queue ../sway/desktop/transaction.c:348 swaywm#4 0x560c1ac284ca in transaction_commit_dirty ../sway/desktop/transaction.c:539 swaywm#5 0x560c1ac17110 in handle_destroy ../sway/desktop/output.c:564 swaywm#6 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 swaywm#7 0x7f38af5d3dfc in drm_connector_cleanup ../subprojects/wlroots/backend/drm/drm.c:1448 swaywm#8 0x7f38af5d2058 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1240 swaywm#9 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135 swaywm#10 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 swaywm#11 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52 swaywm#12 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1) previously allocated by thread T0 here: #0 0x7f38af82e5a1 in __interceptor_calloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:95 swaywm#1 0x560c1acbc228 in output_create ../sway/tree/output.c:91 swaywm#2 0x560c1ac17ba2 in handle_new_output ../sway/desktop/output.c:656 swaywm#3 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 swaywm#4 0x7f38af5e4ce8 in new_output_reemit ../subprojects/wlroots/backend/multi/backend.c:143 swaywm#5 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 swaywm#6 0x7f38af5d26d4 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1294 swaywm#7 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135 swaywm#8 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 swaywm#9 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52 swaywm#10 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1) SUMMARY: AddressSanitizer: heap-use-after-free ../sway/desktop/output.c:566 in handle_destroy Shadow bytes around the buggy address: 0x0c287fffadc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c287fffadd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fffade0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fffadf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fffae00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd =>0x0c287fffae10: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fffae20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fffae30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa 0x0c287fffae40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c287fffae50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c287fffae60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Retrieve the reference before the output is destroyed and update the output_management state with the saved reference.

handle_destroy would mark the output es being destroyed and commit the transaction. Committing the transaction results in the output being freed, the output manager can not retrieve the server reference afterwards, resulting in the following use-after-free: ==22746==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000017088 at pc 0x560c1ac17136 bp 0x7ffeab146f20 sp 0x7ffeab146f10 READ of size 8 at 0x614000017088 thread T0 #0 0x560c1ac17135 in handle_destroy ../sway/desktop/output.c:566 #1 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 #2 0x7f38af5d3dfc in drm_connector_cleanup ../subprojects/wlroots/backend/drm/drm.c:1448 #3 0x7f38af5d2058 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1240 #4 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135 #5 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 #6 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52 #7 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1) #8 0x7f38aef5c39b in wl_display_run (/usr/lib/libwayland-server.so.0+0x939b) #9 0x560c1ac0afbe in server_run ../sway/server.c:225 #10 0x560c1ac09382 in main ../sway/main.c:397 #11 0x7f38aed35ce2 in __libc_start_main (/usr/lib/libc.so.6+0x23ce2) #12 0x560c1abea10d in _start (/usr/local/bin/sway+0x3910d) 0x614000017088 is located 72 bytes inside of 432-byte region [0x614000017040,0x6140000171f0) freed by thread T0 here: #0 0x7f38af82df89 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:66 #1 0x560c1acbd1ed in output_destroy ../sway/tree/output.c:243 #2 0x560c1ac23ce5 in transaction_destroy ../sway/desktop/transaction.c:66 #3 0x560c1ac26b71 in transaction_progress_queue ../sway/desktop/transaction.c:348 #4 0x560c1ac284ca in transaction_commit_dirty ../sway/desktop/transaction.c:539 #5 0x560c1ac17110 in handle_destroy ../sway/desktop/output.c:564 #6 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 #7 0x7f38af5d3dfc in drm_connector_cleanup ../subprojects/wlroots/backend/drm/drm.c:1448 #8 0x7f38af5d2058 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1240 #9 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135 #10 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 #11 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52 #12 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1) previously allocated by thread T0 here: #0 0x7f38af82e5a1 in __interceptor_calloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:95 #1 0x560c1acbc228 in output_create ../sway/tree/output.c:91 #2 0x560c1ac17ba2 in handle_new_output ../sway/desktop/output.c:656 #3 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 #4 0x7f38af5e4ce8 in new_output_reemit ../subprojects/wlroots/backend/multi/backend.c:143 #5 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 #6 0x7f38af5d26d4 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1294 #7 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135 #8 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 #9 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52 #10 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1) SUMMARY: AddressSanitizer: heap-use-after-free ../sway/desktop/output.c:566 in handle_destroy Shadow bytes around the buggy address: 0x0c287fffadc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c287fffadd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fffade0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fffadf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fffae00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd =>0x0c287fffae10: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fffae20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fffae30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa 0x0c287fffae40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c287fffae50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c287fffae60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Retrieve the reference before the output is destroyed and update the output_management state with the saved reference.

handle_destroy would mark the output es being destroyed and commit the transaction. Committing the transaction results in the output being freed, the output manager can not retrieve the server reference afterwards, resulting in the following use-after-free: ==22746==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000017088 at pc 0x560c1ac17136 bp 0x7ffeab146f20 sp 0x7ffeab146f10 READ of size 8 at 0x614000017088 thread T0 #0 0x560c1ac17135 in handle_destroy ../sway/desktop/output.c:566 swaywm#1 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 swaywm#2 0x7f38af5d3dfc in drm_connector_cleanup ../subprojects/wlroots/backend/drm/drm.c:1448 swaywm#3 0x7f38af5d2058 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1240 swaywm#4 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135 swaywm#5 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 swaywm#6 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52 swaywm#7 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1) swaywm#8 0x7f38aef5c39b in wl_display_run (/usr/lib/libwayland-server.so.0+0x939b) swaywm#9 0x560c1ac0afbe in server_run ../sway/server.c:225 swaywm#10 0x560c1ac09382 in main ../sway/main.c:397 swaywm#11 0x7f38aed35ce2 in __libc_start_main (/usr/lib/libc.so.6+0x23ce2) swaywm#12 0x560c1abea10d in _start (/usr/local/bin/sway+0x3910d) 0x614000017088 is located 72 bytes inside of 432-byte region [0x614000017040,0x6140000171f0) freed by thread T0 here: #0 0x7f38af82df89 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:66 swaywm#1 0x560c1acbd1ed in output_destroy ../sway/tree/output.c:243 swaywm#2 0x560c1ac23ce5 in transaction_destroy ../sway/desktop/transaction.c:66 swaywm#3 0x560c1ac26b71 in transaction_progress_queue ../sway/desktop/transaction.c:348 swaywm#4 0x560c1ac284ca in transaction_commit_dirty ../sway/desktop/transaction.c:539 swaywm#5 0x560c1ac17110 in handle_destroy ../sway/desktop/output.c:564 swaywm#6 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 swaywm#7 0x7f38af5d3dfc in drm_connector_cleanup ../subprojects/wlroots/backend/drm/drm.c:1448 swaywm#8 0x7f38af5d2058 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1240 swaywm#9 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135 swaywm#10 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 swaywm#11 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52 swaywm#12 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1) previously allocated by thread T0 here: #0 0x7f38af82e5a1 in __interceptor_calloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:95 swaywm#1 0x560c1acbc228 in output_create ../sway/tree/output.c:91 swaywm#2 0x560c1ac17ba2 in handle_new_output ../sway/desktop/output.c:656 swaywm#3 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 swaywm#4 0x7f38af5e4ce8 in new_output_reemit ../subprojects/wlroots/backend/multi/backend.c:143 swaywm#5 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 swaywm#6 0x7f38af5d26d4 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1294 swaywm#7 0x7f38af5c6a59 in drm_invalidated ../subprojects/wlroots/backend/drm/backend.c:135 swaywm#8 0x7f38af69330e in wlr_signal_emit_safe ../subprojects/wlroots/util/signal.c:29 swaywm#9 0x7f38af5e827a in udev_event ../subprojects/wlroots/backend/session/session.c:52 swaywm#10 0x7f38aef5d7f1 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa7f1) SUMMARY: AddressSanitizer: heap-use-after-free ../sway/desktop/output.c:566 in handle_destroy Shadow bytes around the buggy address: 0x0c287fffadc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c287fffadd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fffade0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fffadf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fffae00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd =>0x0c287fffae10: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fffae20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fffae30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa 0x0c287fffae40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c287fffae50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c287fffae60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Retrieve the reference before the output is destroyed and update the output_management state with the saved reference.

This fixes the following crash: #0 0x00007f7daac3af25 in raise () at /usr/lib/libc.so.6 swaywm#1 0x00007f7daac24897 in abort () at /usr/lib/libc.so.6 swaywm#2 0x00007f7daac24767 in _nl_load_domain.cold () at /usr/lib/libc.so.6 swaywm#3 0x00007f7daac33526 in () at /usr/lib/libc.so.6 swaywm#4 0x0000555bfbc35029 in seat_set_focus_layer (seat=0x555bfd76d860, layer=0x555bfdda2ff0) at ../sway/input/seat.c:1164 __PRETTY_FUNCTION__ = "seat_set_focus_layer" __PRETTY_FUNCTION__ = "seat_set_focus_layer" swaywm#5 0x0000555bfbc35029 in seat_set_focus_layer (seat=seat@entry=0x555bfd76d860, layer=0x555bfdda2ff0) at ../sway/input/seat.c:1164 __PRETTY_FUNCTION__ = "seat_set_focus_layer" swaywm#6 0x0000555bfbc25899 in handle_output_destroy (listener=0x555bfdb90688, data=<optimized out>) at ../sway/desktop/layer_shell.c:263 layer = 0x555bfdd6b040 sway_layer = 0x555bfdb90610 seat = 0x555bfd76d860 client = 0x555bfdb76d70 set_focus = <optimized out> swaywm#7 0x0000555bfbc5b669 in wl_signal_emit (data=0x555bfd795930, signal=0x555bfd795ae0) at /usr/include/wayland-server-core.h:472 l = <optimized out> next = 0x555bfdb6a3e8 __PRETTY_FUNCTION__ = "output_disable" index = <optimized out> swaywm#8 0x0000555bfbc5b669 in output_disable (output=output@entry=0x555bfd795930) at ../sway/tree/output.c:263 __PRETTY_FUNCTION__ = "output_disable" index = <optimized out> swaywm#9 0x0000555bfbc3b890 in apply_output_config (oc=0x555bfd7d73d0, output=output@entry=0x555bfd795930) at ../sway/config/output.c:321 wlr_output = 0x555bfd7afaf0 scale = <optimized out> output_box = <optimized out> swaywm#10 0x0000555bfbc28309 in handle_output_manager_apply (listener=0x555bfbc7f148 <server+488>, data=0x555bfdca6eb0) at ../sway/desktop/output.c:936 wlr_output = <optimized out> output = 0x555bfd795930 oc = <optimized out> server = 0x555bfbc7ef60 <server> config = 0x555bfdca6eb0 config_head = 0x555bfdb79350 ok = true swaywm#11 0x00007f7dab4fbf7c in wlr_signal_emit_safe (signal=<optimized out>, data=0x555bfdca6eb0) at ../subprojects/wlroots/util/signal.c:29 pos = 0x555bfbc7f148 <server+488> l = 0x555bfbc7f148 <server+488> cursor = {link = {prev = 0x555bfbc7f148 <server+488>, next = 0x7fff238a8390}, notify = 0x7f7dab4fbef0 <handle_noop>} end = {link = {prev = 0x7fff238a8370, next = 0x555bfd7419f8}, notify = 0x7f7dab4fbef0 <handle_noop>} swaywm#12 0x00007f7daa45469a in ffi_call_unix64 () at /usr/lib/libffi.so.6 swaywm#13 0x00007f7daa453fb6 in ffi_call () at /usr/lib/libffi.so.6 swaywm#14 0x00007f7daae6f82f in () at /usr/lib/libwayland-server.so.0 swaywm#15 0x00007f7daae6c193 in () at /usr/lib/libwayland-server.so.0 swaywm#16 0x00007f7daae6d7f2 in wl_event_loop_dispatch () at /usr/lib/libwayland-server.so.0 swaywm#17 0x00007f7daae6c39c in wl_display_run () at /usr/lib/libwayland-server.so.0 This crash happens because focus can only be set on mapped surfaces.

This fixes the following crash: #0 0x00007f7daac3af25 in raise () at /usr/lib/libc.so.6 #1 0x00007f7daac24897 in abort () at /usr/lib/libc.so.6 #2 0x00007f7daac24767 in _nl_load_domain.cold () at /usr/lib/libc.so.6 #3 0x00007f7daac33526 in () at /usr/lib/libc.so.6 #4 0x0000555bfbc35029 in seat_set_focus_layer (seat=0x555bfd76d860, layer=0x555bfdda2ff0) at ../sway/input/seat.c:1164 __PRETTY_FUNCTION__ = "seat_set_focus_layer" __PRETTY_FUNCTION__ = "seat_set_focus_layer" #5 0x0000555bfbc35029 in seat_set_focus_layer (seat=seat@entry=0x555bfd76d860, layer=0x555bfdda2ff0) at ../sway/input/seat.c:1164 __PRETTY_FUNCTION__ = "seat_set_focus_layer" #6 0x0000555bfbc25899 in handle_output_destroy (listener=0x555bfdb90688, data=<optimized out>) at ../sway/desktop/layer_shell.c:263 layer = 0x555bfdd6b040 sway_layer = 0x555bfdb90610 seat = 0x555bfd76d860 client = 0x555bfdb76d70 set_focus = <optimized out> #7 0x0000555bfbc5b669 in wl_signal_emit (data=0x555bfd795930, signal=0x555bfd795ae0) at /usr/include/wayland-server-core.h:472 l = <optimized out> next = 0x555bfdb6a3e8 __PRETTY_FUNCTION__ = "output_disable" index = <optimized out> #8 0x0000555bfbc5b669 in output_disable (output=output@entry=0x555bfd795930) at ../sway/tree/output.c:263 __PRETTY_FUNCTION__ = "output_disable" index = <optimized out> #9 0x0000555bfbc3b890 in apply_output_config (oc=0x555bfd7d73d0, output=output@entry=0x555bfd795930) at ../sway/config/output.c:321 wlr_output = 0x555bfd7afaf0 scale = <optimized out> output_box = <optimized out> #10 0x0000555bfbc28309 in handle_output_manager_apply (listener=0x555bfbc7f148 <server+488>, data=0x555bfdca6eb0) at ../sway/desktop/output.c:936 wlr_output = <optimized out> output = 0x555bfd795930 oc = <optimized out> server = 0x555bfbc7ef60 <server> config = 0x555bfdca6eb0 config_head = 0x555bfdb79350 ok = true #11 0x00007f7dab4fbf7c in wlr_signal_emit_safe (signal=<optimized out>, data=0x555bfdca6eb0) at ../subprojects/wlroots/util/signal.c:29 pos = 0x555bfbc7f148 <server+488> l = 0x555bfbc7f148 <server+488> cursor = {link = {prev = 0x555bfbc7f148 <server+488>, next = 0x7fff238a8390}, notify = 0x7f7dab4fbef0 <handle_noop>} end = {link = {prev = 0x7fff238a8370, next = 0x555bfd7419f8}, notify = 0x7f7dab4fbef0 <handle_noop>} #12 0x00007f7daa45469a in ffi_call_unix64 () at /usr/lib/libffi.so.6 #13 0x00007f7daa453fb6 in ffi_call () at /usr/lib/libffi.so.6 #14 0x00007f7daae6f82f in () at /usr/lib/libwayland-server.so.0 #15 0x00007f7daae6c193 in () at /usr/lib/libwayland-server.so.0 #16 0x00007f7daae6d7f2 in wl_event_loop_dispatch () at /usr/lib/libwayland-server.so.0 #17 0x00007f7daae6c39c in wl_display_run () at /usr/lib/libwayland-server.so.0 This crash happens because focus can only be set on mapped surfaces.

Instead of removing the destroy listeners in the output destory, remove them in the damage destroy handler. Fixes the following use after free: ==646625==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200017cab8 at pc 0x0000004f8f29 bp 0x7ffdf465ad30 sp 0x7ffdf465ad20 WRITE of size 8 at 0x61200017cab8 thread T0 #0 0x4f8f28 in wl_list_remove ../common/list.c:181 swaywm#1 0x43dd24 in handle_destroy ../sway/desktop/output.c:790 (`wl_list_remove(&output->damage_destroy.link);` here, 214e3030e1dce master branch) swaywm#2 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#3 0x7f0e57390954 in wlr_output_destroy ../types/wlr_output.c:365 swaywm#4 0x7f0e5735e37f in backend_destroy ../backend/x11/backend.c:128 swaywm#5 0x7f0e57348147 in wlr_backend_destroy ../backend/backend.c:47 swaywm#6 0x7f0e57356f75 in multi_backend_destroy ../backend/multi/backend.c:54 swaywm#7 0x7f0e5735710e in handle_display_destroy ../backend/multi/backend.c:107 swaywm#8 0x7f0e573f23e4 in wl_display_destroy (/lib64/libwayland-server.so.0+0x93e4) swaywm#9 0x42f0b2 in server_fini ../sway/server.c:177 swaywm#10 0x42dd01 in main ../sway/main.c:414 swaywm#11 0x7f0e570f7041 in __libc_start_main (/lib64/libc.so.6+0x27041) swaywm#12 0x40e3bd in _start (/opt/wayland/bin/sway+0x40e3bd) 0x61200017cab8 is located 120 bytes inside of 320-byte region [0x61200017ca40,0x61200017cb80) freed by thread T0 here: #0 0x7f0e57aa9357 in __interceptor_free (/lib64/libasan.so.6+0xb0357) swaywm#1 0x7f0e5738b877 in wlr_output_damage_destroy ../types/wlr_output_damage.c:143 swaywm#2 0x7f0e5738b2b9 in output_handle_destroy ../types/wlr_output_damage.c:13 swaywm#3 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#4 0x7f0e57390954 in wlr_output_destroy ../types/wlr_output.c:365 swaywm#5 0x7f0e5735e37f in backend_destroy ../backend/x11/backend.c:128 swaywm#6 0x7f0e57348147 in wlr_backend_destroy ../backend/backend.c:47 swaywm#7 0x7f0e57356f75 in multi_backend_destroy ../backend/multi/backend.c:54 swaywm#8 0x7f0e5735710e in handle_display_destroy ../backend/multi/backend.c:107 swaywm#9 0x7f0e573f23e4 in wl_display_destroy (/lib64/libwayland-server.so.0+0x93e4) previously allocated by thread T0 here: #0 0x7f0e57aa9887 in __interceptor_calloc (/lib64/libasan.so.6+0xb0887) swaywm#1 0x7f0e5738b532 in wlr_output_damage_create ../types/wlr_output_damage.c:91 swaywm#2 0x43e4a7 in handle_new_output ../sway/desktop/output.c:875 swaywm#3 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#4 0x7f0e57357261 in new_output_reemit ../backend/multi/backend.c:143 swaywm#5 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#6 0x7f0e5736030a in wlr_x11_output_create ../backend/x11/output.c:253 swaywm#7 0x7f0e5735e309 in backend_start ../backend/x11/backend.c:113 swaywm#8 0x7f0e573480fb in wlr_backend_start ../backend/backend.c:36 swaywm#9 0x7f0e57356e61 in multi_backend_start ../backend/multi/backend.c:31 swaywm#10 0x7f0e573480fb in wlr_backend_start ../backend/backend.c:36 swaywm#11 0x42f4ba in server_start ../sway/server.c:205 swaywm#12 0x42dbd7 in main ../sway/main.c:394 swaywm#13 0x7f0e570f7041 in __libc_start_main (/lib64/libc.so.6+0x27041) Fixes swaywm#5158

Instead of removing the destroy listeners in the output destroy, remove them in the damage destroy handler. Fixes the following use after free: ==646625==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200017cab8 at pc 0x0000004f8f29 bp 0x7ffdf465ad30 sp 0x7ffdf465ad20 WRITE of size 8 at 0x61200017cab8 thread T0 #0 0x4f8f28 in wl_list_remove ../common/list.c:181 swaywm#1 0x43dd24 in handle_destroy ../sway/desktop/output.c:790 (`wl_list_remove(&output->damage_destroy.link);` here, 214e3030e1dce master branch) swaywm#2 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#3 0x7f0e57390954 in wlr_output_destroy ../types/wlr_output.c:365 swaywm#4 0x7f0e5735e37f in backend_destroy ../backend/x11/backend.c:128 swaywm#5 0x7f0e57348147 in wlr_backend_destroy ../backend/backend.c:47 swaywm#6 0x7f0e57356f75 in multi_backend_destroy ../backend/multi/backend.c:54 swaywm#7 0x7f0e5735710e in handle_display_destroy ../backend/multi/backend.c:107 swaywm#8 0x7f0e573f23e4 in wl_display_destroy (/lib64/libwayland-server.so.0+0x93e4) swaywm#9 0x42f0b2 in server_fini ../sway/server.c:177 swaywm#10 0x42dd01 in main ../sway/main.c:414 swaywm#11 0x7f0e570f7041 in __libc_start_main (/lib64/libc.so.6+0x27041) swaywm#12 0x40e3bd in _start (/opt/wayland/bin/sway+0x40e3bd) 0x61200017cab8 is located 120 bytes inside of 320-byte region [0x61200017ca40,0x61200017cb80) freed by thread T0 here: #0 0x7f0e57aa9357 in __interceptor_free (/lib64/libasan.so.6+0xb0357) swaywm#1 0x7f0e5738b877 in wlr_output_damage_destroy ../types/wlr_output_damage.c:143 swaywm#2 0x7f0e5738b2b9 in output_handle_destroy ../types/wlr_output_damage.c:13 swaywm#3 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#4 0x7f0e57390954 in wlr_output_destroy ../types/wlr_output.c:365 swaywm#5 0x7f0e5735e37f in backend_destroy ../backend/x11/backend.c:128 swaywm#6 0x7f0e57348147 in wlr_backend_destroy ../backend/backend.c:47 swaywm#7 0x7f0e57356f75 in multi_backend_destroy ../backend/multi/backend.c:54 swaywm#8 0x7f0e5735710e in handle_display_destroy ../backend/multi/backend.c:107 swaywm#9 0x7f0e573f23e4 in wl_display_destroy (/lib64/libwayland-server.so.0+0x93e4) previously allocated by thread T0 here: #0 0x7f0e57aa9887 in __interceptor_calloc (/lib64/libasan.so.6+0xb0887) swaywm#1 0x7f0e5738b532 in wlr_output_damage_create ../types/wlr_output_damage.c:91 swaywm#2 0x43e4a7 in handle_new_output ../sway/desktop/output.c:875 swaywm#3 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#4 0x7f0e57357261 in new_output_reemit ../backend/multi/backend.c:143 swaywm#5 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#6 0x7f0e5736030a in wlr_x11_output_create ../backend/x11/output.c:253 swaywm#7 0x7f0e5735e309 in backend_start ../backend/x11/backend.c:113 swaywm#8 0x7f0e573480fb in wlr_backend_start ../backend/backend.c:36 swaywm#9 0x7f0e57356e61 in multi_backend_start ../backend/multi/backend.c:31 swaywm#10 0x7f0e573480fb in wlr_backend_start ../backend/backend.c:36 swaywm#11 0x42f4ba in server_start ../sway/server.c:205 swaywm#12 0x42dbd7 in main ../sway/main.c:394 swaywm#13 0x7f0e570f7041 in __libc_start_main (/lib64/libc.so.6+0x27041) Fixes swaywm#5158

Instead of removing the destroy listeners in the output destroy, remove them in the damage destroy handler. Fixes the following use after free: ==646625==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200017cab8 at pc 0x0000004f8f29 bp 0x7ffdf465ad30 sp 0x7ffdf465ad20 WRITE of size 8 at 0x61200017cab8 thread T0 #0 0x4f8f28 in wl_list_remove ../common/list.c:181 #1 0x43dd24 in handle_destroy ../sway/desktop/output.c:790 (`wl_list_remove(&output->damage_destroy.link);` here, 214e3030e1dce master branch) #2 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29 #3 0x7f0e57390954 in wlr_output_destroy ../types/wlr_output.c:365 #4 0x7f0e5735e37f in backend_destroy ../backend/x11/backend.c:128 #5 0x7f0e57348147 in wlr_backend_destroy ../backend/backend.c:47 #6 0x7f0e57356f75 in multi_backend_destroy ../backend/multi/backend.c:54 #7 0x7f0e5735710e in handle_display_destroy ../backend/multi/backend.c:107 #8 0x7f0e573f23e4 in wl_display_destroy (/lib64/libwayland-server.so.0+0x93e4) #9 0x42f0b2 in server_fini ../sway/server.c:177 #10 0x42dd01 in main ../sway/main.c:414 #11 0x7f0e570f7041 in __libc_start_main (/lib64/libc.so.6+0x27041) #12 0x40e3bd in _start (/opt/wayland/bin/sway+0x40e3bd) 0x61200017cab8 is located 120 bytes inside of 320-byte region [0x61200017ca40,0x61200017cb80) freed by thread T0 here: #0 0x7f0e57aa9357 in __interceptor_free (/lib64/libasan.so.6+0xb0357) #1 0x7f0e5738b877 in wlr_output_damage_destroy ../types/wlr_output_damage.c:143 #2 0x7f0e5738b2b9 in output_handle_destroy ../types/wlr_output_damage.c:13 #3 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29 #4 0x7f0e57390954 in wlr_output_destroy ../types/wlr_output.c:365 #5 0x7f0e5735e37f in backend_destroy ../backend/x11/backend.c:128 #6 0x7f0e57348147 in wlr_backend_destroy ../backend/backend.c:47 #7 0x7f0e57356f75 in multi_backend_destroy ../backend/multi/backend.c:54 #8 0x7f0e5735710e in handle_display_destroy ../backend/multi/backend.c:107 #9 0x7f0e573f23e4 in wl_display_destroy (/lib64/libwayland-server.so.0+0x93e4) previously allocated by thread T0 here: #0 0x7f0e57aa9887 in __interceptor_calloc (/lib64/libasan.so.6+0xb0887) #1 0x7f0e5738b532 in wlr_output_damage_create ../types/wlr_output_damage.c:91 #2 0x43e4a7 in handle_new_output ../sway/desktop/output.c:875 #3 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29 #4 0x7f0e57357261 in new_output_reemit ../backend/multi/backend.c:143 #5 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29 #6 0x7f0e5736030a in wlr_x11_output_create ../backend/x11/output.c:253 #7 0x7f0e5735e309 in backend_start ../backend/x11/backend.c:113 #8 0x7f0e573480fb in wlr_backend_start ../backend/backend.c:36 #9 0x7f0e57356e61 in multi_backend_start ../backend/multi/backend.c:31 #10 0x7f0e573480fb in wlr_backend_start ../backend/backend.c:36 #11 0x42f4ba in server_start ../sway/server.c:205 #12 0x42dbd7 in main ../sway/main.c:394 #13 0x7f0e570f7041 in __libc_start_main (/lib64/libc.so.6+0x27041) Fixes #5158

remove view from its own unmap event listener so when subsurfaces link try to remove themselves they won't run into it. This fixes the following ASAN use-after-free error on a build slightly modifier to instrument wl_list operations: ==71705==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000829a0 at pc 0x000000508eb7 bp 0x7ffec8fd8030 sp 0x7ffec8fd8028 WRITE of size 8 at 0x6160000829a0 thread T0 #0 0x508eb6 in wl_list_remove ../common/list.c:181 swaywm#1 0x4f4998 in view_child_destroy ../sway/tree/view.c:1131 swaywm#2 0x4f38fa in subsurface_handle_destroy ../sway/tree/view.c:946 swaywm#3 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#4 0x7fda5072f0dd in subsurface_destroy ../types/wlr_surface.c:649 swaywm#5 0x7fda507312c4 in subsurface_handle_surface_destroy ../types/wlr_surface.c:1094 swaywm#6 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#7 0x7fda5072f305 in surface_handle_resource_destroy ../types/wlr_surface.c:677 swaywm#8 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) swaywm#9 0x7fda508187f2 in wl_client_destroy (/lib64/libwayland-server.so.0+0xc7f2) swaywm#10 0x7fda50818e5f in wl_client_connection_data (/lib64/libwayland-server.so.0+0xce5f) swaywm#11 0x7fda50818219 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0xc219) swaywm#12 0x7fda50818984 in wl_display_run (/lib64/libwayland-server.so.0+0xc984) swaywm#13 0x43122c in server_run ../sway/server.c:254 swaywm#14 0x42f47c in main ../sway/main.c:433 swaywm#15 0x7fda503cab74 in __libc_start_main (/lib64/libc.so.6+0x27b74) swaywm#16 0x40f6fd in _start (/opt/wayland/bin/sway+0x40f6fd) 0x6160000829a0 is located 288 bytes inside of 592-byte region [0x616000082880,0x616000082ad0) freed by thread T0 here: #0 0x7fda50f01a27 in free (/lib64/libasan.so.6+0xaea27) swaywm#1 0x4532d8 in destroy ../sway/desktop/xdg_shell.c:262 swaywm#2 0x4ed17b in view_destroy ../sway/tree/view.c:67 swaywm#3 0x4ed300 in view_begin_destroy ../sway/tree/view.c:83 swaywm#4 0x454a3f in handle_destroy ../sway/desktop/xdg_shell.c:507 swaywm#5 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#6 0x7fda506e2c87 in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:481 swaywm#7 0x7fda506e3018 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:516 swaywm#8 0x7fda506dfbe5 in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 swaywm#9 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) previously allocated by thread T0 here: #0 0x7fda50f01ed7 in calloc (/lib64/libasan.so.6+0xaeed7) swaywm#1 0x454bc8 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:528 swaywm#2 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#3 0x7fda506e2363 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:378 swaywm#4 0x7fda5072e368 in surface_commit_state ../types/wlr_surface.c:455 swaywm#5 0x7fda5072e51d in surface_commit_pending ../types/wlr_surface.c:474 swaywm#6 0x7fda5072ea58 in surface_commit ../types/wlr_surface.c:542 swaywm#7 0x7fda4fb3ac03 in ffi_call_unix64 (/lib64/libffi.so.6+0x6c03) Fixes swaywm#5168

remove view from its own unmap event listener so when subsurfaces link try to remove themselves they won't run into it. This fixes the following ASAN use-after-free error on a build slightly modified to instrument wl_list operations: ==71705==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000829a0 at pc 0x000000508eb7 bp 0x7ffec8fd8030 sp 0x7ffec8fd8028 WRITE of size 8 at 0x6160000829a0 thread T0 #0 0x508eb6 in wl_list_remove ../common/list.c:181 swaywm#1 0x4f4998 in view_child_destroy ../sway/tree/view.c:1131 swaywm#2 0x4f38fa in subsurface_handle_destroy ../sway/tree/view.c:946 swaywm#3 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#4 0x7fda5072f0dd in subsurface_destroy ../types/wlr_surface.c:649 swaywm#5 0x7fda507312c4 in subsurface_handle_surface_destroy ../types/wlr_surface.c:1094 swaywm#6 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#7 0x7fda5072f305 in surface_handle_resource_destroy ../types/wlr_surface.c:677 swaywm#8 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) swaywm#9 0x7fda508187f2 in wl_client_destroy (/lib64/libwayland-server.so.0+0xc7f2) swaywm#10 0x7fda50818e5f in wl_client_connection_data (/lib64/libwayland-server.so.0+0xce5f) swaywm#11 0x7fda50818219 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0xc219) swaywm#12 0x7fda50818984 in wl_display_run (/lib64/libwayland-server.so.0+0xc984) swaywm#13 0x43122c in server_run ../sway/server.c:254 swaywm#14 0x42f47c in main ../sway/main.c:433 swaywm#15 0x7fda503cab74 in __libc_start_main (/lib64/libc.so.6+0x27b74) swaywm#16 0x40f6fd in _start (/opt/wayland/bin/sway+0x40f6fd) 0x6160000829a0 is located 288 bytes inside of 592-byte region [0x616000082880,0x616000082ad0) freed by thread T0 here: #0 0x7fda50f01a27 in free (/lib64/libasan.so.6+0xaea27) swaywm#1 0x4532d8 in destroy ../sway/desktop/xdg_shell.c:262 swaywm#2 0x4ed17b in view_destroy ../sway/tree/view.c:67 swaywm#3 0x4ed300 in view_begin_destroy ../sway/tree/view.c:83 swaywm#4 0x454a3f in handle_destroy ../sway/desktop/xdg_shell.c:507 swaywm#5 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#6 0x7fda506e2c87 in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:481 swaywm#7 0x7fda506e3018 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:516 swaywm#8 0x7fda506dfbe5 in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 swaywm#9 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) previously allocated by thread T0 here: #0 0x7fda50f01ed7 in calloc (/lib64/libasan.so.6+0xaeed7) swaywm#1 0x454bc8 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:528 swaywm#2 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#3 0x7fda506e2363 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:378 swaywm#4 0x7fda5072e368 in surface_commit_state ../types/wlr_surface.c:455 swaywm#5 0x7fda5072e51d in surface_commit_pending ../types/wlr_surface.c:474 swaywm#6 0x7fda5072ea58 in surface_commit ../types/wlr_surface.c:542 swaywm#7 0x7fda4fb3ac03 in ffi_call_unix64 (/lib64/libffi.so.6+0x6c03) Fixes swaywm#5168

remove view from its own unmap event listener so when subsurfaces link try to remove themselves they won't run into it. This fixes the following ASAN use-after-free error on a build slightly modified to instrument wl_list operations: ==71705==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000829a0 at pc 0x000000508eb7 bp 0x7ffec8fd8030 sp 0x7ffec8fd8028 WRITE of size 8 at 0x6160000829a0 thread T0 #0 0x508eb6 in wl_list_remove ../common/list.c:181 #1 0x4f4998 in view_child_destroy ../sway/tree/view.c:1131 #2 0x4f38fa in subsurface_handle_destroy ../sway/tree/view.c:946 #3 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 #4 0x7fda5072f0dd in subsurface_destroy ../types/wlr_surface.c:649 #5 0x7fda507312c4 in subsurface_handle_surface_destroy ../types/wlr_surface.c:1094 #6 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 #7 0x7fda5072f305 in surface_handle_resource_destroy ../types/wlr_surface.c:677 #8 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) #9 0x7fda508187f2 in wl_client_destroy (/lib64/libwayland-server.so.0+0xc7f2) #10 0x7fda50818e5f in wl_client_connection_data (/lib64/libwayland-server.so.0+0xce5f) #11 0x7fda50818219 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0xc219) #12 0x7fda50818984 in wl_display_run (/lib64/libwayland-server.so.0+0xc984) #13 0x43122c in server_run ../sway/server.c:254 #14 0x42f47c in main ../sway/main.c:433 #15 0x7fda503cab74 in __libc_start_main (/lib64/libc.so.6+0x27b74) #16 0x40f6fd in _start (/opt/wayland/bin/sway+0x40f6fd) 0x6160000829a0 is located 288 bytes inside of 592-byte region [0x616000082880,0x616000082ad0) freed by thread T0 here: #0 0x7fda50f01a27 in free (/lib64/libasan.so.6+0xaea27) #1 0x4532d8 in destroy ../sway/desktop/xdg_shell.c:262 #2 0x4ed17b in view_destroy ../sway/tree/view.c:67 #3 0x4ed300 in view_begin_destroy ../sway/tree/view.c:83 #4 0x454a3f in handle_destroy ../sway/desktop/xdg_shell.c:507 #5 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 #6 0x7fda506e2c87 in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:481 #7 0x7fda506e3018 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:516 #8 0x7fda506dfbe5 in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 #9 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) previously allocated by thread T0 here: #0 0x7fda50f01ed7 in calloc (/lib64/libasan.so.6+0xaeed7) #1 0x454bc8 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:528 #2 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 #3 0x7fda506e2363 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:378 #4 0x7fda5072e368 in surface_commit_state ../types/wlr_surface.c:455 #5 0x7fda5072e51d in surface_commit_pending ../types/wlr_surface.c:474 #6 0x7fda5072ea58 in surface_commit ../types/wlr_surface.c:542 #7 0x7fda4fb3ac03 in ffi_call_unix64 (/lib64/libffi.so.6+0x6c03) Fixes #5168

remove view from its own unmap event listener so when subsurfaces link try to remove themselves they won't run into it. This fixes the following ASAN use-after-free error on a build slightly modified to instrument wl_list operations: ==71705==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000829a0 at pc 0x000000508eb7 bp 0x7ffec8fd8030 sp 0x7ffec8fd8028 WRITE of size 8 at 0x6160000829a0 thread T0 #0 0x508eb6 in wl_list_remove ../common/list.c:181 swaywm#1 0x4f4998 in view_child_destroy ../sway/tree/view.c:1131 swaywm#2 0x4f38fa in subsurface_handle_destroy ../sway/tree/view.c:946 swaywm#3 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#4 0x7fda5072f0dd in subsurface_destroy ../types/wlr_surface.c:649 swaywm#5 0x7fda507312c4 in subsurface_handle_surface_destroy ../types/wlr_surface.c:1094 swaywm#6 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#7 0x7fda5072f305 in surface_handle_resource_destroy ../types/wlr_surface.c:677 swaywm#8 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) swaywm#9 0x7fda508187f2 in wl_client_destroy (/lib64/libwayland-server.so.0+0xc7f2) swaywm#10 0x7fda50818e5f in wl_client_connection_data (/lib64/libwayland-server.so.0+0xce5f) swaywm#11 0x7fda50818219 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0xc219) swaywm#12 0x7fda50818984 in wl_display_run (/lib64/libwayland-server.so.0+0xc984) swaywm#13 0x43122c in server_run ../sway/server.c:254 swaywm#14 0x42f47c in main ../sway/main.c:433 swaywm#15 0x7fda503cab74 in __libc_start_main (/lib64/libc.so.6+0x27b74) swaywm#16 0x40f6fd in _start (/opt/wayland/bin/sway+0x40f6fd) 0x6160000829a0 is located 288 bytes inside of 592-byte region [0x616000082880,0x616000082ad0) freed by thread T0 here: #0 0x7fda50f01a27 in free (/lib64/libasan.so.6+0xaea27) swaywm#1 0x4532d8 in destroy ../sway/desktop/xdg_shell.c:262 swaywm#2 0x4ed17b in view_destroy ../sway/tree/view.c:67 swaywm#3 0x4ed300 in view_begin_destroy ../sway/tree/view.c:83 swaywm#4 0x454a3f in handle_destroy ../sway/desktop/xdg_shell.c:507 swaywm#5 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#6 0x7fda506e2c87 in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:481 swaywm#7 0x7fda506e3018 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:516 swaywm#8 0x7fda506dfbe5 in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 swaywm#9 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) previously allocated by thread T0 here: #0 0x7fda50f01ed7 in calloc (/lib64/libasan.so.6+0xaeed7) swaywm#1 0x454bc8 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:528 swaywm#2 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#3 0x7fda506e2363 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:378 swaywm#4 0x7fda5072e368 in surface_commit_state ../types/wlr_surface.c:455 swaywm#5 0x7fda5072e51d in surface_commit_pending ../types/wlr_surface.c:474 swaywm#6 0x7fda5072ea58 in surface_commit ../types/wlr_surface.c:542 swaywm#7 0x7fda4fb3ac03 in ffi_call_unix64 (/lib64/libffi.so.6+0x6c03) Fixes swaywm#5168

remove view from its own unmap event listener so when subsurfaces link try to remove themselves they won't run into it. This fixes the following ASAN use-after-free error on a build slightly modified to instrument wl_list operations: ==71705==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000829a0 at pc 0x000000508eb7 bp 0x7ffec8fd8030 sp 0x7ffec8fd8028 WRITE of size 8 at 0x6160000829a0 thread T0 #0 0x508eb6 in wl_list_remove ../common/list.c:181 swaywm#1 0x4f4998 in view_child_destroy ../sway/tree/view.c:1131 swaywm#2 0x4f38fa in subsurface_handle_destroy ../sway/tree/view.c:946 swaywm#3 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#4 0x7fda5072f0dd in subsurface_destroy ../types/wlr_surface.c:649 swaywm#5 0x7fda507312c4 in subsurface_handle_surface_destroy ../types/wlr_surface.c:1094 swaywm#6 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#7 0x7fda5072f305 in surface_handle_resource_destroy ../types/wlr_surface.c:677 swaywm#8 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) swaywm#9 0x7fda508187f2 in wl_client_destroy (/lib64/libwayland-server.so.0+0xc7f2) swaywm#10 0x7fda50818e5f in wl_client_connection_data (/lib64/libwayland-server.so.0+0xce5f) swaywm#11 0x7fda50818219 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0xc219) swaywm#12 0x7fda50818984 in wl_display_run (/lib64/libwayland-server.so.0+0xc984) swaywm#13 0x43122c in server_run ../sway/server.c:254 swaywm#14 0x42f47c in main ../sway/main.c:433 swaywm#15 0x7fda503cab74 in __libc_start_main (/lib64/libc.so.6+0x27b74) swaywm#16 0x40f6fd in _start (/opt/wayland/bin/sway+0x40f6fd) 0x6160000829a0 is located 288 bytes inside of 592-byte region [0x616000082880,0x616000082ad0) freed by thread T0 here: #0 0x7fda50f01a27 in free (/lib64/libasan.so.6+0xaea27) swaywm#1 0x4532d8 in destroy ../sway/desktop/xdg_shell.c:262 swaywm#2 0x4ed17b in view_destroy ../sway/tree/view.c:67 swaywm#3 0x4ed300 in view_begin_destroy ../sway/tree/view.c:83 swaywm#4 0x454a3f in handle_destroy ../sway/desktop/xdg_shell.c:507 swaywm#5 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#6 0x7fda506e2c87 in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:481 swaywm#7 0x7fda506e3018 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:516 swaywm#8 0x7fda506dfbe5 in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 swaywm#9 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) previously allocated by thread T0 here: #0 0x7fda50f01ed7 in calloc (/lib64/libasan.so.6+0xaeed7) swaywm#1 0x454bc8 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:528 swaywm#2 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 swaywm#3 0x7fda506e2363 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:378 swaywm#4 0x7fda5072e368 in surface_commit_state ../types/wlr_surface.c:455 swaywm#5 0x7fda5072e51d in surface_commit_pending ../types/wlr_surface.c:474 swaywm#6 0x7fda5072ea58 in surface_commit ../types/wlr_surface.c:542 swaywm#7 0x7fda4fb3ac03 in ffi_call_unix64 (/lib64/libffi.so.6+0x6c03) Fixes swaywm#5168 (cherry picked from commit 8529141)

remove view from its own unmap event listener so when subsurfaces link try to remove themselves they won't run into it. This fixes the following ASAN use-after-free error on a build slightly modified to instrument wl_list operations: ==71705==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000829a0 at pc 0x000000508eb7 bp 0x7ffec8fd8030 sp 0x7ffec8fd8028 WRITE of size 8 at 0x6160000829a0 thread T0 #0 0x508eb6 in wl_list_remove ../common/list.c:181 #1 0x4f4998 in view_child_destroy ../sway/tree/view.c:1131 #2 0x4f38fa in subsurface_handle_destroy ../sway/tree/view.c:946 #3 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 #4 0x7fda5072f0dd in subsurface_destroy ../types/wlr_surface.c:649 #5 0x7fda507312c4 in subsurface_handle_surface_destroy ../types/wlr_surface.c:1094 #6 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 #7 0x7fda5072f305 in surface_handle_resource_destroy ../types/wlr_surface.c:677 #8 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) #9 0x7fda508187f2 in wl_client_destroy (/lib64/libwayland-server.so.0+0xc7f2) #10 0x7fda50818e5f in wl_client_connection_data (/lib64/libwayland-server.so.0+0xce5f) #11 0x7fda50818219 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0xc219) #12 0x7fda50818984 in wl_display_run (/lib64/libwayland-server.so.0+0xc984) #13 0x43122c in server_run ../sway/server.c:254 #14 0x42f47c in main ../sway/main.c:433 #15 0x7fda503cab74 in __libc_start_main (/lib64/libc.so.6+0x27b74) #16 0x40f6fd in _start (/opt/wayland/bin/sway+0x40f6fd) 0x6160000829a0 is located 288 bytes inside of 592-byte region [0x616000082880,0x616000082ad0) freed by thread T0 here: #0 0x7fda50f01a27 in free (/lib64/libasan.so.6+0xaea27) #1 0x4532d8 in destroy ../sway/desktop/xdg_shell.c:262 #2 0x4ed17b in view_destroy ../sway/tree/view.c:67 #3 0x4ed300 in view_begin_destroy ../sway/tree/view.c:83 #4 0x454a3f in handle_destroy ../sway/desktop/xdg_shell.c:507 #5 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 #6 0x7fda506e2c87 in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:481 #7 0x7fda506e3018 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:516 #8 0x7fda506dfbe5 in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71 #9 0x7fda508180ce in destroy_resource (/lib64/libwayland-server.so.0+0xc0ce) previously allocated by thread T0 here: #0 0x7fda50f01ed7 in calloc (/lib64/libasan.so.6+0xaeed7) #1 0x454bc8 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:528 #2 0x7fda50744892 in wlr_signal_emit_safe ../util/signal.c:29 #3 0x7fda506e2363 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:378 #4 0x7fda5072e368 in surface_commit_state ../types/wlr_surface.c:455 #5 0x7fda5072e51d in surface_commit_pending ../types/wlr_surface.c:474 #6 0x7fda5072ea58 in surface_commit ../types/wlr_surface.c:542 #7 0x7fda4fb3ac03 in ffi_call_unix64 (/lib64/libffi.so.6+0x6c03) Fixes #5168 (cherry picked from commit 8529141)

There seems to be a null pointer access that can happen. I was able to reproduce this by running the cemu emulator[1] with the new collabora wine wayland driver[2] and opening and closing some sub menus. Adding a trival null check seems to do the trick to stop sway from crashing and returning to tty and everything else works normally. [1]: http://cemu.info/ [2]: https://www.winehq.org/pipermail/wine-devel/2021-December/203035.html Stack trace from lldb: * thread #1, name = 'sway', stop reason = signal SIGSEGV: invalid address (fault address: 0xf8) frame #0: 0x00005555555c3fc3 sway`view_child_init(child=0x0000555555f67940, impl=0x00005555555ee030, view=0x00005555565bc590, surface=0x00005555565b6940) at view.c:1117:25 1114 wl_signal_add(&view->events.unmap, &child->view_unmap); 1115 child->view_unmap.notify = view_child_handle_view_unmap; 1116 -> 1117 struct sway_workspace *workspace = child->view->container->pending.workspace; 1118 if (workspace) { 1119 wlr_surface_send_enter(child->surface, workspace->output->wlr_output); 1120 } (lldb) up error: sway {0x000342ab}: DIE has DW_AT_ranges(DW_FORM_sec_offset 0x67) attribute, but range extraction failed (invalid range list offset 0x67), please file a bug and attach the file at the start of this error message frame #1: 0x00005555555c39f8 sway`view_child_subsurface_create(child=0x00005555564a10d0, wlr_subsurface=0x0000555556586910) at view.c:985:2 982 } 983 subsurface->child.parent = child; 984 wl_list_insert(&child->children, &subsurface->child.link); -> 985 view_child_init(&subsurface->child, &subsurface_impl, child->view, 986 wlr_subsurface->surface); 987 988 wl_signal_add(&wlr_subsurface->events.destroy, &subsurface->destroy); (lldb) up frame swaywm#2: 0x00005555555c3c2a sway`view_child_handle_surface_new_subsurface(listener=0x00005555564a1130, data=0x0000555556586910) at view.c:1031:2 1028 struct sway_view_child *child = 1029 wl_container_of(listener, child, surface_new_subsurface); 1030 struct wlr_subsurface *subsurface = data; -> 1031 view_child_subsurface_create(child, subsurface); 1032 } 1033 1034 static void view_child_handle_surface_destroy(struct wl_listener *listener, (lldb) up frame swaywm#3: 0x00007ffff78f4bfe libwlroots.so.10`wlr_signal_emit_safe(signal=0x00005555565b2470, data=0x0000555556586910) at signal.c:29:3 26 wl_list_remove(&cursor.link); 27 wl_list_insert(pos, &cursor.link); 28 -> 29 l->notify(l, data); 30 } 31 32 wl_list_remove(&cursor.link); (lldb) up frame swaywm#4: 0x00007ffff78e5a41 libwlroots.so.10`subsurface_parent_commit(subsurface=0x0000555556586910) at wlr_surface.c:517:3 514 515 if (!subsurface->added) { 516 subsurface->added = true; -> 517 wlr_signal_emit_safe(&subsurface->parent->events.new_subsurface, 518 subsurface); 519 } 520 } (lldb) up frame swaywm#5: 0x00007ffff78e56fa libwlroots.so.10`surface_commit_state(surface=0x00005555565b21b0, next=0x00005555565b2338) at wlr_surface.c:439:3 436 wl_list_insert(&surface->current.subsurfaces_above, 437 &subsurface->current.link); 438 -> 439 subsurface_parent_commit(subsurface); 440 } 441 wl_list_for_each_reverse(subsurface, &surface->pending.subsurfaces_below, 442 pending.link) { (lldb) up frame swaywm#6: 0x00007ffff78e5b88 libwlroots.so.10`surface_handle_commit(client=0x0000555556564c80, resource=0x0000555556599a20) at wlr_surface.c:555:3 552 if (surface->pending.cached_state_locks > 0 || !wl_list_empty(&surface->cached)) { 553 surface_cache_pending(surface); 554 } else { -> 555 surface_commit_state(surface, &surface->pending); 556 } 557 } 558 (lldb) up frame swaywm#7: 0x00007ffff7000d4a libffi.so.8`___lldb_unnamed_symbol118 + 82 libffi.so.8`___lldb_unnamed_symbol118: -> 0x7ffff7000d4a <+82>: leaq 0x18(%rbp), %rsp 0x7ffff7000d4e <+86>: movq (%rbp), %rcx 0x7ffff7000d52 <+90>: movq 0x8(%rbp), %rdi 0x7ffff7000d56 <+94>: movq 0x10(%rbp), %rbp (lldb) up frame swaywm#8: 0x00007ffff7000267 libffi.so.8`___lldb_unnamed_symbol115 + 439 libffi.so.8`___lldb_unnamed_symbol115: -> 0x7ffff7000267 <+439>: movq -0x38(%rbp), %rax 0x7ffff700026b <+443>: subq %fs:0x28, %rax 0x7ffff7000274 <+452>: jne 0x7ffff70004e7 ; <+1079> 0x7ffff700027a <+458>: leaq -0x28(%rbp), %rsp (lldb) up frame swaywm#9: 0x00007ffff795a173 libwayland-server.so.0`___lldb_unnamed_symbol271 + 371 libwayland-server.so.0`___lldb_unnamed_symbol271: -> 0x7ffff795a173 <+371>: movq 0x8(%r12), %rax 0x7ffff795a178 <+376>: movq 0x8(%rax), %rdi 0x7ffff795a17c <+380>: movl (%r12), %eax 0x7ffff795a180 <+384>: testl %eax, %eax (lldb) up frame swaywm#10: 0x00007ffff795555c libwayland-server.so.0`___lldb_unnamed_symbol210 + 588 libwayland-server.so.0`___lldb_unnamed_symbol210: -> 0x7ffff795555c <+588>: jmp 0x7ffff7955435 ; <+293> 0x7ffff7955561 <+593>: nopl (%rax) 0x7ffff7955568 <+600>: callq *0xd76a(%rip) 0x7ffff795556e <+606>: cmpl $0xb, (%rax) (lldb) up frame swaywm#11: 0x00007ffff795804a libwayland-server.so.0`wl_event_loop_dispatch + 202 libwayland-server.so.0`wl_event_loop_dispatch: -> 0x7ffff795804a <+202>: addq $0xc, %r15 0x7ffff795804e <+206>: cmpq %r15, %rbp 0x7ffff7958051 <+209>: jne 0x7ffff7958038 ; <+184> 0x7ffff7958053 <+211>: movq 0x8(%rsp), %rcx1 (lldb) up frame swaywm#12: 0x00007ffff7955bc7 libwayland-server.so.0`wl_display_run + 39 libwayland-server.so.0`wl_display_run: -> 0x7ffff7955bc7 <+39>: movl 0x8(%rbx), %eax 0x7ffff7955bca <+42>: testl %eax, %eax 0x7ffff7955bcc <+44>: jne 0x7ffff7955bb0 ; <+16> 0x7ffff7955bce <+46>: popq %rbx (lldb) up frame swaywm#13: 0x00005555555756eb sway`server_run(server=0x00005555555f0640) at server.c:296:2 293 void server_run(struct sway_server *server) { 294 sway_log(SWAY_INFO, "Running compositor on wayland display '%s'", 295 server->socket); -> 296 wl_display_run(server->wl_display); 297 } (lldb) up frame swaywm#14: 0x0000555555574947 sway`main(argc=1, argv=0x00007fffffffe8d8) at main.c:428:2 425 swaynag_show(&config->swaynag_config_errors); 426 } 427 -> 428 server_run(&server); 429 430 shutdown: 431 sway_log(SWAY_INFO, "Shutting down sway"); (lldb) up frame swaywm#15: 0x00007ffff761db25 libc.so.6`__libc_start_main + 213 libc.so.6`__libc_start_main: -> 0x7ffff761db25 <+213>: movl %eax, %edi 0x7ffff761db27 <+215>: callq 0x7ffff7635630 ; exit 0x7ffff761db2c <+220>: movq (%rsp), %rax 0x7ffff761db30 <+224>: leaq 0x163929(%rip), %rdi (lldb) up frame swaywm#16: 0x00005555555656be sway`_start + 46 sway`_start: -> 0x5555555656be <+46>: hlt 0x5555555656bf: nop sway`deregister_tm_clones: 0x5555555656c0 <+0>: leaq 0x8aeb9(%rip), %rdi ; optind@GLIBC_2.2.5 0x5555555656c7 <+7>: leaq 0x8aeb2(%rip), %rax ; optind@GLIBC_2.2.5 Signed-off-by: Alexander Orzechowski <orzechowski.alexander@gmail.com>

There seems to be a null pointer access that can happen. I was able to reproduce this by running the cemu emulator[1] with the new collabora wine wayland driver[2] and opening and closing some sub menus. Adding a trival null check seems to do the trick to stop sway from crashing and returning to tty and everything else works normally. [1]: http://cemu.info/ [2]: https://www.winehq.org/pipermail/wine-devel/2021-December/203035.html Stack trace from lldb: * thread #1, name = 'sway', stop reason = signal SIGSEGV: invalid address (fault address: 0xf8) frame #0: 0x00005555555c3fc3 sway`view_child_init(child=0x0000555555f67940, impl=0x00005555555ee030, view=0x00005555565bc590, surface=0x00005555565b6940) at view.c:1117:25 1114 wl_signal_add(&view->events.unmap, &child->view_unmap); 1115 child->view_unmap.notify = view_child_handle_view_unmap; 1116 -> 1117 struct sway_workspace *workspace = child->view->container->pending.workspace; 1118 if (workspace) { 1119 wlr_surface_send_enter(child->surface, workspace->output->wlr_output); 1120 } (lldb) up error: sway {0x000342ab}: DIE has DW_AT_ranges(DW_FORM_sec_offset 0x67) attribute, but range extraction failed (invalid range list offset 0x67), please file a bug and attach the file at the start of this error message frame #1: 0x00005555555c39f8 sway`view_child_subsurface_create(child=0x00005555564a10d0, wlr_subsurface=0x0000555556586910) at view.c:985:2 982 } 983 subsurface->child.parent = child; 984 wl_list_insert(&child->children, &subsurface->child.link); -> 985 view_child_init(&subsurface->child, &subsurface_impl, child->view, 986 wlr_subsurface->surface); 987 988 wl_signal_add(&wlr_subsurface->events.destroy, &subsurface->destroy); (lldb) up frame #2: 0x00005555555c3c2a sway`view_child_handle_surface_new_subsurface(listener=0x00005555564a1130, data=0x0000555556586910) at view.c:1031:2 1028 struct sway_view_child *child = 1029 wl_container_of(listener, child, surface_new_subsurface); 1030 struct wlr_subsurface *subsurface = data; -> 1031 view_child_subsurface_create(child, subsurface); 1032 } 1033 1034 static void view_child_handle_surface_destroy(struct wl_listener *listener, (lldb) up frame #3: 0x00007ffff78f4bfe libwlroots.so.10`wlr_signal_emit_safe(signal=0x00005555565b2470, data=0x0000555556586910) at signal.c:29:3 26 wl_list_remove(&cursor.link); 27 wl_list_insert(pos, &cursor.link); 28 -> 29 l->notify(l, data); 30 } 31 32 wl_list_remove(&cursor.link); (lldb) up frame #4: 0x00007ffff78e5a41 libwlroots.so.10`subsurface_parent_commit(subsurface=0x0000555556586910) at wlr_surface.c:517:3 514 515 if (!subsurface->added) { 516 subsurface->added = true; -> 517 wlr_signal_emit_safe(&subsurface->parent->events.new_subsurface, 518 subsurface); 519 } 520 } (lldb) up frame #5: 0x00007ffff78e56fa libwlroots.so.10`surface_commit_state(surface=0x00005555565b21b0, next=0x00005555565b2338) at wlr_surface.c:439:3 436 wl_list_insert(&surface->current.subsurfaces_above, 437 &subsurface->current.link); 438 -> 439 subsurface_parent_commit(subsurface); 440 } 441 wl_list_for_each_reverse(subsurface, &surface->pending.subsurfaces_below, 442 pending.link) { (lldb) up frame #6: 0x00007ffff78e5b88 libwlroots.so.10`surface_handle_commit(client=0x0000555556564c80, resource=0x0000555556599a20) at wlr_surface.c:555:3 552 if (surface->pending.cached_state_locks > 0 || !wl_list_empty(&surface->cached)) { 553 surface_cache_pending(surface); 554 } else { -> 555 surface_commit_state(surface, &surface->pending); 556 } 557 } 558 (lldb) up frame #7: 0x00007ffff7000d4a libffi.so.8`___lldb_unnamed_symbol118 + 82 libffi.so.8`___lldb_unnamed_symbol118: -> 0x7ffff7000d4a <+82>: leaq 0x18(%rbp), %rsp 0x7ffff7000d4e <+86>: movq (%rbp), %rcx 0x7ffff7000d52 <+90>: movq 0x8(%rbp), %rdi 0x7ffff7000d56 <+94>: movq 0x10(%rbp), %rbp (lldb) up frame #8: 0x00007ffff7000267 libffi.so.8`___lldb_unnamed_symbol115 + 439 libffi.so.8`___lldb_unnamed_symbol115: -> 0x7ffff7000267 <+439>: movq -0x38(%rbp), %rax 0x7ffff700026b <+443>: subq %fs:0x28, %rax 0x7ffff7000274 <+452>: jne 0x7ffff70004e7 ; <+1079> 0x7ffff700027a <+458>: leaq -0x28(%rbp), %rsp (lldb) up frame #9: 0x00007ffff795a173 libwayland-server.so.0`___lldb_unnamed_symbol271 + 371 libwayland-server.so.0`___lldb_unnamed_symbol271: -> 0x7ffff795a173 <+371>: movq 0x8(%r12), %rax 0x7ffff795a178 <+376>: movq 0x8(%rax), %rdi 0x7ffff795a17c <+380>: movl (%r12), %eax 0x7ffff795a180 <+384>: testl %eax, %eax (lldb) up frame #10: 0x00007ffff795555c libwayland-server.so.0`___lldb_unnamed_symbol210 + 588 libwayland-server.so.0`___lldb_unnamed_symbol210: -> 0x7ffff795555c <+588>: jmp 0x7ffff7955435 ; <+293> 0x7ffff7955561 <+593>: nopl (%rax) 0x7ffff7955568 <+600>: callq *0xd76a(%rip) 0x7ffff795556e <+606>: cmpl $0xb, (%rax) (lldb) up frame #11: 0x00007ffff795804a libwayland-server.so.0`wl_event_loop_dispatch + 202 libwayland-server.so.0`wl_event_loop_dispatch: -> 0x7ffff795804a <+202>: addq $0xc, %r15 0x7ffff795804e <+206>: cmpq %r15, %rbp 0x7ffff7958051 <+209>: jne 0x7ffff7958038 ; <+184> 0x7ffff7958053 <+211>: movq 0x8(%rsp), %rcx1 (lldb) up frame #12: 0x00007ffff7955bc7 libwayland-server.so.0`wl_display_run + 39 libwayland-server.so.0`wl_display_run: -> 0x7ffff7955bc7 <+39>: movl 0x8(%rbx), %eax 0x7ffff7955bca <+42>: testl %eax, %eax 0x7ffff7955bcc <+44>: jne 0x7ffff7955bb0 ; <+16> 0x7ffff7955bce <+46>: popq %rbx (lldb) up frame #13: 0x00005555555756eb sway`server_run(server=0x00005555555f0640) at server.c:296:2 293 void server_run(struct sway_server *server) { 294 sway_log(SWAY_INFO, "Running compositor on wayland display '%s'", 295 server->socket); -> 296 wl_display_run(server->wl_display); 297 } (lldb) up frame #14: 0x0000555555574947 sway`main(argc=1, argv=0x00007fffffffe8d8) at main.c:428:2 425 swaynag_show(&config->swaynag_config_errors); 426 } 427 -> 428 server_run(&server); 429 430 shutdown: 431 sway_log(SWAY_INFO, "Shutting down sway"); (lldb) up frame #15: 0x00007ffff761db25 libc.so.6`__libc_start_main + 213 libc.so.6`__libc_start_main: -> 0x7ffff761db25 <+213>: movl %eax, %edi 0x7ffff761db27 <+215>: callq 0x7ffff7635630 ; exit 0x7ffff761db2c <+220>: movq (%rsp), %rax 0x7ffff761db30 <+224>: leaq 0x163929(%rip), %rdi (lldb) up frame #16: 0x00005555555656be sway`_start + 46 sway`_start: -> 0x5555555656be <+46>: hlt 0x5555555656bf: nop sway`deregister_tm_clones: 0x5555555656c0 <+0>: leaq 0x8aeb9(%rip), %rdi ; optind@GLIBC_2.2.5 0x5555555656c7 <+7>: leaq 0x8aeb2(%rip), %rax ; optind@GLIBC_2.2.5 Signed-off-by: Alexander Orzechowski <orzechowski.alexander@gmail.com>

This change prevents swaybar from crashing when trying to open the context menu of a StatusNotifierItem. Observed with blueman-applet. The backtrace is: Program terminated with signal SIGSEGV, Segmentation fault. #0 0x000055fa7472b150 in dbusmenu_menu_find_menu_surface (menu=0x0, surface=0x55fa74d290d0) at ../sway-1.7/swaybar/tray/dbusmenu.c:1203 1203 if (menu->surface && menu->surface->surface == surface) { (gdb) bt #0 0x000055fa7472b150 in dbusmenu_menu_find_menu_surface (menu=0x0, surface=0x55fa74d290d0) at ../sway-1.7/swaybar/tray/dbusmenu.c:1203 #1 0x000055fa7472b4a3 in dbusmenu_pointer_enter (data=0x55fa74d28310, wl_pointer=0x55fa74d22e10, serial=348969, surface=0x55fa74d290d0, surface_x=365306, surface_y=6803) at ../sway-1.7/swaybar/tray/dbusmenu.c:1278 swaywm#2 0x000055fa747192eb in wl_pointer_enter (data=0x55fa74d28310, wl_pointer=0x55fa74d22e10, serial=348969, surface=0x55fa74d290d0, surface_x=365306, surface_y=6803) at ../sway-1.7/swaybar/input.c:121 swaywm#3 0x00007f9eced29e1a in () at /usr/lib64/libffi.so.8 swaywm#4 0x00007f9eced2937c in () at /usr/lib64/libffi.so.8 swaywm#5 0x00007f9ecf6da4c1 in () at /usr/lib64/libwayland-client.so.0 swaywm#6 0x00007f9ecf6d6a0a in () at /usr/lib64/libwayland-client.so.0 swaywm#7 0x00007f9ecf6d832c in wl_display_dispatch_queue_pending () at /usr/lib64/libwayland-client.so.0 swaywm#8 0x00007f9ecf6d884f in wl_display_roundtrip_queue () at /usr/lib64/libwayland-client.so.0 swaywm#9 0x000055fa7472acc8 in swaybar_dbusmenu_create (sni=0x55fa74e05590, output=0x55fa74d28d60, seat=0x55fa74d28310, serial=348944, x=5230, y=1100) at ../sway-1.7/swaybar/tray/dbusmenu.c:1107 swaywm#10 0x000055fa74724de8 in handle_click (sni=0x55fa74e05590, output=0x55fa74d28d60, seat=0x55fa74d28310, serial=348944, x=5230, y=1100, button=273, delta=1) at ../sway-1.7/swaybar/tray/item.c:379 swaywm#11 0x000055fa74725137 in icon_hotspot_callback (output=0x55fa74d28d60, hotspot=0x55fa74db12f0, seat=0x55fa74d28310, serial=348944, x=1390.921875, y=20.99609375, button=273, data=0x55fa74f33e40) at ../sway-1.7/swaybar/tray/item.c:423 swaywm#12 0x000055fa74719555 in process_hotspots (output=0x55fa74d28d60, seat=0x55fa74d28310, serial=348944, x=1390.921875, y=20.99609375, button=273) at ../sway-1.7/swaybar/input.c:175 swaywm#13 0x000055fa74719693 in wl_pointer_button (data=0x55fa74d28310, wl_pointer=0x55fa74d22e10, serial=348944, time=1003868332, button=273, state=1) at ../sway-1.7/swaybar/input.c:207 swaywm#14 0x00007f9eced29e1a in () at /usr/lib64/libffi.so.8 swaywm#15 0x00007f9eced2937c in () at /usr/lib64/libffi.so.8 swaywm#16 0x00007f9ecf6da4c1 in () at /usr/lib64/libwayland-client.so.0 swaywm#17 0x00007f9ecf6d6a0a in () at /usr/lib64/libwayland-client.so.0 swaywm#18 0x00007f9ecf6d832c in wl_display_dispatch_queue_pending () at /usr/lib64/libwayland-client.so.0 swaywm#19 0x000055fa74716aa9 in display_in (fd=136, mask=1, data=0x55fa7473ba40 <swaybar>) at ../sway-1.7/swaybar/bar.c:470 swaywm#20 0x000055fa7472d414 in loop_poll (loop=0x55fa74d20fd0) at ../sway-1.7/common/loop.c:84 swaywm#21 0x000055fa74716d52 in bar_run (bar=0x55fa7473ba40 <swaybar>) at ../sway-1.7/swaybar/bar.c:519 swaywm#22 0x000055fa7471cec2 in main (argc=3, argv=0x7fff4c24db38) at ../sway-1.7/swaybar/main.c:101

There seems to be a null pointer access that can happen. I was able to reproduce this by running the cemu emulator[1] with the new collabora wine wayland driver[2] and opening and closing some sub menus. Adding a trival null check seems to do the trick to stop sway from crashing and returning to tty and everything else works normally. [1]: http://cemu.info/ [2]: https://www.winehq.org/pipermail/wine-devel/2021-December/203035.html Stack trace from lldb: * thread swaywm#1, name = 'sway', stop reason = signal SIGSEGV: invalid address (fault address: 0xf8) frame #0: 0x00005555555c3fc3 sway`view_child_init(child=0x0000555555f67940, impl=0x00005555555ee030, view=0x00005555565bc590, surface=0x00005555565b6940) at view.c:1117:25 1114 wl_signal_add(&view->events.unmap, &child->view_unmap); 1115 child->view_unmap.notify = view_child_handle_view_unmap; 1116 -> 1117 struct sway_workspace *workspace = child->view->container->pending.workspace; 1118 if (workspace) { 1119 wlr_surface_send_enter(child->surface, workspace->output->wlr_output); 1120 } (lldb) up error: sway {0x000342ab}: DIE has DW_AT_ranges(DW_FORM_sec_offset 0x67) attribute, but range extraction failed (invalid range list offset 0x67), please file a bug and attach the file at the start of this error message frame swaywm#1: 0x00005555555c39f8 sway`view_child_subsurface_create(child=0x00005555564a10d0, wlr_subsurface=0x0000555556586910) at view.c:985:2 982 } 983 subsurface->child.parent = child; 984 wl_list_insert(&child->children, &subsurface->child.link); -> 985 view_child_init(&subsurface->child, &subsurface_impl, child->view, 986 wlr_subsurface->surface); 987 988 wl_signal_add(&wlr_subsurface->events.destroy, &subsurface->destroy); (lldb) up frame swaywm#2: 0x00005555555c3c2a sway`view_child_handle_surface_new_subsurface(listener=0x00005555564a1130, data=0x0000555556586910) at view.c:1031:2 1028 struct sway_view_child *child = 1029 wl_container_of(listener, child, surface_new_subsurface); 1030 struct wlr_subsurface *subsurface = data; -> 1031 view_child_subsurface_create(child, subsurface); 1032 } 1033 1034 static void view_child_handle_surface_destroy(struct wl_listener *listener, (lldb) up frame swaywm#3: 0x00007ffff78f4bfe libwlroots.so.10`wlr_signal_emit_safe(signal=0x00005555565b2470, data=0x0000555556586910) at signal.c:29:3 26 wl_list_remove(&cursor.link); 27 wl_list_insert(pos, &cursor.link); 28 -> 29 l->notify(l, data); 30 } 31 32 wl_list_remove(&cursor.link); (lldb) up frame swaywm#4: 0x00007ffff78e5a41 libwlroots.so.10`subsurface_parent_commit(subsurface=0x0000555556586910) at wlr_surface.c:517:3 514 515 if (!subsurface->added) { 516 subsurface->added = true; -> 517 wlr_signal_emit_safe(&subsurface->parent->events.new_subsurface, 518 subsurface); 519 } 520 } (lldb) up frame swaywm#5: 0x00007ffff78e56fa libwlroots.so.10`surface_commit_state(surface=0x00005555565b21b0, next=0x00005555565b2338) at wlr_surface.c:439:3 436 wl_list_insert(&surface->current.subsurfaces_above, 437 &subsurface->current.link); 438 -> 439 subsurface_parent_commit(subsurface); 440 } 441 wl_list_for_each_reverse(subsurface, &surface->pending.subsurfaces_below, 442 pending.link) { (lldb) up frame swaywm#6: 0x00007ffff78e5b88 libwlroots.so.10`surface_handle_commit(client=0x0000555556564c80, resource=0x0000555556599a20) at wlr_surface.c:555:3 552 if (surface->pending.cached_state_locks > 0 || !wl_list_empty(&surface->cached)) { 553 surface_cache_pending(surface); 554 } else { -> 555 surface_commit_state(surface, &surface->pending); 556 } 557 } 558 (lldb) up frame swaywm#7: 0x00007ffff7000d4a libffi.so.8`___lldb_unnamed_symbol118 + 82 libffi.so.8`___lldb_unnamed_symbol118: -> 0x7ffff7000d4a <+82>: leaq 0x18(%rbp), %rsp 0x7ffff7000d4e <+86>: movq (%rbp), %rcx 0x7ffff7000d52 <+90>: movq 0x8(%rbp), %rdi 0x7ffff7000d56 <+94>: movq 0x10(%rbp), %rbp (lldb) up frame swaywm#8: 0x00007ffff7000267 libffi.so.8`___lldb_unnamed_symbol115 + 439 libffi.so.8`___lldb_unnamed_symbol115: -> 0x7ffff7000267 <+439>: movq -0x38(%rbp), %rax 0x7ffff700026b <+443>: subq %fs:0x28, %rax 0x7ffff7000274 <+452>: jne 0x7ffff70004e7 ; <+1079> 0x7ffff700027a <+458>: leaq -0x28(%rbp), %rsp (lldb) up frame swaywm#9: 0x00007ffff795a173 libwayland-server.so.0`___lldb_unnamed_symbol271 + 371 libwayland-server.so.0`___lldb_unnamed_symbol271: -> 0x7ffff795a173 <+371>: movq 0x8(%r12), %rax 0x7ffff795a178 <+376>: movq 0x8(%rax), %rdi 0x7ffff795a17c <+380>: movl (%r12), %eax 0x7ffff795a180 <+384>: testl %eax, %eax (lldb) up frame swaywm#10: 0x00007ffff795555c libwayland-server.so.0`___lldb_unnamed_symbol210 + 588 libwayland-server.so.0`___lldb_unnamed_symbol210: -> 0x7ffff795555c <+588>: jmp 0x7ffff7955435 ; <+293> 0x7ffff7955561 <+593>: nopl (%rax) 0x7ffff7955568 <+600>: callq *0xd76a(%rip) 0x7ffff795556e <+606>: cmpl $0xb, (%rax) (lldb) up frame swaywm#11: 0x00007ffff795804a libwayland-server.so.0`wl_event_loop_dispatch + 202 libwayland-server.so.0`wl_event_loop_dispatch: -> 0x7ffff795804a <+202>: addq $0xc, %r15 0x7ffff795804e <+206>: cmpq %r15, %rbp 0x7ffff7958051 <+209>: jne 0x7ffff7958038 ; <+184> 0x7ffff7958053 <+211>: movq 0x8(%rsp), %rcx1 (lldb) up frame swaywm#12: 0x00007ffff7955bc7 libwayland-server.so.0`wl_display_run + 39 libwayland-server.so.0`wl_display_run: -> 0x7ffff7955bc7 <+39>: movl 0x8(%rbx), %eax 0x7ffff7955bca <+42>: testl %eax, %eax 0x7ffff7955bcc <+44>: jne 0x7ffff7955bb0 ; <+16> 0x7ffff7955bce <+46>: popq %rbx (lldb) up frame swaywm#13: 0x00005555555756eb sway`server_run(server=0x00005555555f0640) at server.c:296:2 293 void server_run(struct sway_server *server) { 294 sway_log(SWAY_INFO, "Running compositor on wayland display '%s'", 295 server->socket); -> 296 wl_display_run(server->wl_display); 297 } (lldb) up frame swaywm#14: 0x0000555555574947 sway`main(argc=1, argv=0x00007fffffffe8d8) at main.c:428:2 425 swaynag_show(&config->swaynag_config_errors); 426 } 427 -> 428 server_run(&server); 429 430 shutdown: 431 sway_log(SWAY_INFO, "Shutting down sway"); (lldb) up frame swaywm#15: 0x00007ffff761db25 libc.so.6`__libc_start_main + 213 libc.so.6`__libc_start_main: -> 0x7ffff761db25 <+213>: movl %eax, %edi 0x7ffff761db27 <+215>: callq 0x7ffff7635630 ; exit 0x7ffff761db2c <+220>: movq (%rsp), %rax 0x7ffff761db30 <+224>: leaq 0x163929(%rip), %rdi (lldb) up frame swaywm#16: 0x00005555555656be sway`_start + 46 sway`_start: -> 0x5555555656be <+46>: hlt 0x5555555656bf: nop sway`deregister_tm_clones: 0x5555555656c0 <+0>: leaq 0x8aeb9(%rip), %rdi ; optind@GLIBC_2.2.5 0x5555555656c7 <+7>: leaq 0x8aeb2(%rip), %rax ; optind@GLIBC_2.2.5 Signed-off-by: Alexander Orzechowski <orzechowski.alexander@gmail.com>

In case a display is unplugged, the sway output may be removed from the userdata before the gamma_control can be reset. In this case we can't schedule a commit on the output, simply return within the function. backtrace full: #0 handle_gamma_control_set_gamma (listener=0x4856a8 <server+616>, data=0x7ffce1ed59c0) at ../sway/desktop/output.c:1105 server = 0x485440 <server> event = 0x7ffce1ed59c0 output = 0x0 swaywm#1 0x00007f430d1dca0c in wl_signal_emit_mutable () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. swaywm#2 0x00007f430d142370 in gamma_control_destroy (gamma_control=0x29eb9b0) at ../types/wlr_gamma_control_v1.c:37 manager = 0x27e33e0 output = 0x2a10770 event = {output = 0x2a10770, control = 0x0} swaywm#3 0x00007f430d14239b in gamma_control_handle_output_destroy (listener=<optimized out>, data=<optimized out>) at ../types/wlr_gamma_control_v1.c:59 gamma_control = <optimized out> swaywm#4 0x00007f430d1dca0c in wl_signal_emit_mutable () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. swaywm#5 0x00007f430d12a0e0 in wlr_output_destroy (output=output@entry=0x2a10770) at ../types/output/output.c:384 cursor = <optimized out> tmp_cursor = <optimized out> layer = <optimized out> tmp_layer = <optimized out> swaywm#6 0x00007f430d114ecf in disconnect_drm_connector (conn=conn@entry=0x2a10770) at ../backend/drm/drm.c:1757 __PRETTY_FUNCTION__ = "disconnect_drm_connector" swaywm#7 0x00007f430d117078 in scan_drm_connectors (drm=drm@entry=0x1eebab0, event=event@entry=0x7ffce1ed5c1c) at ../backend/drm/drm.c:1597 c = <optimized out> wlr_conn = 0x2a10770 drm_conn = 0x2e760d0 conn_id = <optimized out> index = 4 i = 4 res = 0x2e761f0 seen_len = 5 seen = {true, true, true, true, true, false} new_outputs_len = 0 new_outputs = 0x7ffce1ed5ab0 conn = <optimized out> tmp_conn = <optimized out> index = <optimized out> swaywm#8 0x00007f430d113425 in handle_dev_change (listener=0x1eebbb0, data=0x7ffce1ed5c18) at ../backend/drm/backend.c:157 drm = 0x1eebab0 change = 0x7ffce1ed5c18 swaywm#9 0x00007f430d1dca0c in wl_signal_emit_mutable () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. swaywm#10 0x00007f430d111696 in handle_udev_event (fd=<optimized out>, mask=<optimized out>, data=<optimized out>) at ../backend/session/session.c:213 event = {type = WLR_DEVICE_HOTPLUG, {hotplug = {connector_id = 0, prop_id = 0}}} devnum = <optimized out> dev = 0x1ed9460 session = <optimized out> udev_dev = 0x2e70db0 sysname = 0x2e73c60 "card0" devnode = <optimized out> action = 0x7f430d6677b5 "change" seat = <optimized out> __PRETTY_FUNCTION__ = "handle_udev_event" swaywm#11 0x00007f430d1de8e2 in wl_event_loop_dispatch () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. swaywm#12 0x00007f430d1dc445 in wl_display_run () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. swaywm#13 0x000000000041daa5 in server_run (server=server@entry=0x485440 <server>) at ../sway/server.c:338 No locals. swaywm#14 0x000000000041cf4d in main (argc=<optimized out>, argv=0x7ffce1ed5fe8) at ../sway/main.c:415 verbose = false debug = false validate = false allow_unsupported_gpu = false config_path = 0x0 c = <optimized out> where event->output->data is NULL: (gdb) p event->output->data $5 = (void *) 0x0

In case a display is unplugged, the sway output may be removed from the userdata before the gamma_control can be reset. In this case we can't schedule a commit on the output, simply return within the function. backtrace full: #0 handle_gamma_control_set_gamma (listener=0x4856a8 <server+616>, data=0x7ffce1ed59c0) at ../sway/desktop/output.c:1105 server = 0x485440 <server> event = 0x7ffce1ed59c0 output = 0x0 #1 0x00007f430d1dca0c in wl_signal_emit_mutable () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. #2 0x00007f430d142370 in gamma_control_destroy (gamma_control=0x29eb9b0) at ../types/wlr_gamma_control_v1.c:37 manager = 0x27e33e0 output = 0x2a10770 event = {output = 0x2a10770, control = 0x0} #3 0x00007f430d14239b in gamma_control_handle_output_destroy (listener=<optimized out>, data=<optimized out>) at ../types/wlr_gamma_control_v1.c:59 gamma_control = <optimized out> #4 0x00007f430d1dca0c in wl_signal_emit_mutable () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. #5 0x00007f430d12a0e0 in wlr_output_destroy (output=output@entry=0x2a10770) at ../types/output/output.c:384 cursor = <optimized out> tmp_cursor = <optimized out> layer = <optimized out> tmp_layer = <optimized out> #6 0x00007f430d114ecf in disconnect_drm_connector (conn=conn@entry=0x2a10770) at ../backend/drm/drm.c:1757 __PRETTY_FUNCTION__ = "disconnect_drm_connector" #7 0x00007f430d117078 in scan_drm_connectors (drm=drm@entry=0x1eebab0, event=event@entry=0x7ffce1ed5c1c) at ../backend/drm/drm.c:1597 c = <optimized out> wlr_conn = 0x2a10770 drm_conn = 0x2e760d0 conn_id = <optimized out> index = 4 i = 4 res = 0x2e761f0 seen_len = 5 seen = {true, true, true, true, true, false} new_outputs_len = 0 new_outputs = 0x7ffce1ed5ab0 conn = <optimized out> tmp_conn = <optimized out> index = <optimized out> #8 0x00007f430d113425 in handle_dev_change (listener=0x1eebbb0, data=0x7ffce1ed5c18) at ../backend/drm/backend.c:157 drm = 0x1eebab0 change = 0x7ffce1ed5c18 #9 0x00007f430d1dca0c in wl_signal_emit_mutable () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. #10 0x00007f430d111696 in handle_udev_event (fd=<optimized out>, mask=<optimized out>, data=<optimized out>) at ../backend/session/session.c:213 event = {type = WLR_DEVICE_HOTPLUG, {hotplug = {connector_id = 0, prop_id = 0}}} devnum = <optimized out> dev = 0x1ed9460 session = <optimized out> udev_dev = 0x2e70db0 sysname = 0x2e73c60 "card0" devnode = <optimized out> action = 0x7f430d6677b5 "change" seat = <optimized out> __PRETTY_FUNCTION__ = "handle_udev_event" #11 0x00007f430d1de8e2 in wl_event_loop_dispatch () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. #12 0x00007f430d1dc445 in wl_display_run () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. #13 0x000000000041daa5 in server_run (server=server@entry=0x485440 <server>) at ../sway/server.c:338 No locals. #14 0x000000000041cf4d in main (argc=<optimized out>, argv=0x7ffce1ed5fe8) at ../sway/main.c:415 verbose = false debug = false validate = false allow_unsupported_gpu = false config_path = 0x0 c = <optimized out> where event->output->data is NULL: (gdb) p event->output->data $5 = (void *) 0x0

* root: Try to preserve relative positions of floating containers This makes the behavior of floating containers more consistent with i3. The coordinates of the container are scaled when the size of the workspace it is on changes or when the container is moved between workspaces on different outputs. For scratchpad containers, add a new state that preserves the dimensions of the last output the window appeared on. This is necessary because after a container is hidden in the scratchpad, we expect it to be in the same relative position on the output when it reappears. We can't just use the container's attached workspace because that workspace's dimensions might have been changed or the workspace as a whole could have been destroyed. * root: Set inactive focus when scratchpad is moved to new workspace Fixes an issue where an already visible scratchpad window being moved due to 'scratchpad show' leaves the entire workspace at the top of the focus stack in the old workspace. Moving by 'focus output' back to the old workspace would focus the entire workspace instead of just the last active container. * Init the damage_ring bounds on output creation Otherwise the initial bounds would be `INT_MAX` until `handle_mode` or `handle_commit` is called :) * man: deprecate seat cursor move/set/press/release The Wayland protocol better serves this purpose, and is supported by more compositors. * Add a .mailmap file * ipc: add LIBINPUT_CONFIG_ACCEL_PROFILE_CUSTOM entry This was introduced in the last libinput release. Fixes the following error: ../sway/ipc-json.c:928:17: error: enumeration value 'LIBINPUT_CONFIG_ACCEL_PROFILE_CUSTOM' not handled in switch [-Werror=switch] 928 | switch (libinput_device_config_accel_get_profile(device)) { | ^~~~~~ * swaybar: Set opaque region properly The opaque region is set incorrectly if updated on-the-fly if switching from an opaque to a non opaque background. * swaybar: Lift background clearing out of main rendering function This avoids us from using a bogus background_color value that mutates as swaybar renders things and deciding opacity depending on that. Also remove a redundant full surface clear. Just directly write our desired background color. * Fix damage-ring bounds not being set when unplugging -> plugging in monitor swaywm#7524 was a partial fix. Seems like this is still an issue when unplugging and plugging the monitor back in. Closes: swaywm#7528 * Remove duplicate wlr_damage_ring_set_bounds() call We already do this in handle_commit(). * Chase wlroots!4067 * Pass version to wlr_compositor_create() References: https://gitlab.freedesktop.org/wlroots/wlroots/-/merge_requests/3696 * Skip direct scan-out commit when damage is empty When there is no damage, no need to perform an output commit, even when direct scan-out is used. * Set output damage during direct scan-out During direct scan-out, pass the damaged region to the wlroots backend. * Fix old style function definitions Signed-off-by: Elyes Haouas <ehaouas@noos.fr> * Introduce output_match_name_or_id() Reduces code duplication. * Use all_output_by_name_or_id() in merge_id_on_name() No need to iterate over the outputs manually. * Use output_match_name_or_id() in apply_output_config_to_outputs() * Use output_match_name_or_id() in workspace functions * Add format_str() and vformat_str() Simple helpers to allocate and format a string. * pango: add printf attribute This allows the compiler to catch mismatches between the format string and the arguments passed in. Need to add -Wno-format-zero-length because we pass an empty string on purpose in swaybar/render.c. * commands/floating_minmax_size: fix error strings cmd_results_new() does not take the command name as argument. * commands: add printf attribute to cmd_results_new() And fix the resulting build failures. * config: add printf attribute to config_add_swaynag_warning() * swaynag: add printf attribute to swaynag_log() * common/gesture: use format_str() We already had a similar function in there. * Use format_str() throughout * xdg_shell: Fix crash if popup generates while toplevel is in the scratchpad * render: pass rendering state together in a struct This lets us easily add rendering state that we need in the future * render: Don't pass matrix into render_texture * render: Use wlr_render_pass * Don't crash if there is no damage during render * Add support for touch cancel events * handle_touch_cancel: fix begin default I forgot to call seatop_begin_default in e8f7551. * swaybar: always subscribe to mode and workspace always subscribe to mode and workspace events, since we might need them after bar config updates even if we don't need them initially. * render: Apply clip to rendered texture correctly The new wlr_render_pass API provides src_box, dst_box and clip parameters for texture rendition. Rather than clipping the dst_box, which control the projection matrix and leads to compression, intersect the damage and clip box and pass these as a clip parameter. Fixes: swaywm#7579 Regressed by: swaywm#7552 * render: Clear using wlr_output dimensions Clear was done using sway_output's logical dimensions, instead of the wlr_output physical dimensions. This meant that when output scaling was applied, only a part of the screen would be cleared. Use the wlr_output dimensions instead. Regressed by: swaywm#7552 * render: fix titlebar texture clipping We need to provide an unclipped dst_box. Fixes: swaywm#7573 Regressed by: swaywm#7552 * seatop_down: Call seatop_begin_default after sending touch events This is consistent with pointer tablet and button events. Fixes swaywm#7577. * Fix layer old damage not being offset by the monitor layout coords * xwayland: don't rely on event source being data This pattern is being slowly removed from wlroots. * chore: chase wlroots map logic unification * lock: listen to the correct map signal * xwayland: fix mapped state check in OR handlers * chase wlroots wlr_renderer_begin_buffer_pass change https://gitlab.freedesktop.org/wlroots/wlroots/-/merge_requests/4159 > ../sway/desktop/output.c:618:47: error: too few arguments to function 'wlr_renderer_begin_buffer_pass' > 618 | struct wlr_render_pass *render_pass = wlr_renderer_begin_buffer_pass( > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Add support for wlr-layer-shell ON_DEMAND keyboard interactivity This allows for layer shell surfaces to receive focus while the surface is explicitly focused, i.e allowing text fields to receive keyboard input just like a regular surface. * Handle gamma-control-v1 set_gamma events References: https://gitlab.freedesktop.org/wlroots/wlroots/-/merge_requests/4046 * desktop/output: use detached output state for page-flips This avoids relying on the implicit wlr_output.pending state. * desktop/output: fix damage bitfield in wlr_output_state * man: add --inhibited and --no-repeat to bindsym and bindcode usage * Fix `bindsym --to-code` not respecting input configs Fixes swaywm#7535 * gamma_control_v1: Reset dirty flag * gamma_control_v1: handle destroyed output In case a display is unplugged, the sway output may be removed from the userdata before the gamma_control can be reset. In this case we can't schedule a commit on the output, simply return within the function. backtrace full: #0 handle_gamma_control_set_gamma (listener=0x4856a8 <server+616>, data=0x7ffce1ed59c0) at ../sway/desktop/output.c:1105 server = 0x485440 <server> event = 0x7ffce1ed59c0 output = 0x0 #1 0x00007f430d1dca0c in wl_signal_emit_mutable () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. #2 0x00007f430d142370 in gamma_control_destroy (gamma_control=0x29eb9b0) at ../types/wlr_gamma_control_v1.c:37 manager = 0x27e33e0 output = 0x2a10770 event = {output = 0x2a10770, control = 0x0} #3 0x00007f430d14239b in gamma_control_handle_output_destroy (listener=<optimized out>, data=<optimized out>) at ../types/wlr_gamma_control_v1.c:59 gamma_control = <optimized out> #4 0x00007f430d1dca0c in wl_signal_emit_mutable () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. #5 0x00007f430d12a0e0 in wlr_output_destroy (output=output@entry=0x2a10770) at ../types/output/output.c:384 cursor = <optimized out> tmp_cursor = <optimized out> layer = <optimized out> tmp_layer = <optimized out> #6 0x00007f430d114ecf in disconnect_drm_connector (conn=conn@entry=0x2a10770) at ../backend/drm/drm.c:1757 __PRETTY_FUNCTION__ = "disconnect_drm_connector" #7 0x00007f430d117078 in scan_drm_connectors (drm=drm@entry=0x1eebab0, event=event@entry=0x7ffce1ed5c1c) at ../backend/drm/drm.c:1597 c = <optimized out> wlr_conn = 0x2a10770 drm_conn = 0x2e760d0 conn_id = <optimized out> index = 4 i = 4 res = 0x2e761f0 seen_len = 5 seen = {true, true, true, true, true, false} new_outputs_len = 0 new_outputs = 0x7ffce1ed5ab0 conn = <optimized out> tmp_conn = <optimized out> index = <optimized out> #8 0x00007f430d113425 in handle_dev_change (listener=0x1eebbb0, data=0x7ffce1ed5c18) at ../backend/drm/backend.c:157 drm = 0x1eebab0 change = 0x7ffce1ed5c18 #9 0x00007f430d1dca0c in wl_signal_emit_mutable () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. #10 0x00007f430d111696 in handle_udev_event (fd=<optimized out>, mask=<optimized out>, data=<optimized out>) at ../backend/session/session.c:213 event = {type = WLR_DEVICE_HOTPLUG, {hotplug = {connector_id = 0, prop_id = 0}}} devnum = <optimized out> dev = 0x1ed9460 session = <optimized out> udev_dev = 0x2e70db0 sysname = 0x2e73c60 "card0" devnode = <optimized out> action = 0x7f430d6677b5 "change" seat = <optimized out> __PRETTY_FUNCTION__ = "handle_udev_event" #11 0x00007f430d1de8e2 in wl_event_loop_dispatch () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. #12 0x00007f430d1dc445 in wl_display_run () from /nix/store/ky1g6ylzr2m4bq8fy0gzrnqmjr6948k5-wayland-1.22.0/lib/libwayland-server.so.0 No symbol table info available. #13 0x000000000041daa5 in server_run (server=server@entry=0x485440 <server>) at ../sway/server.c:338 No locals. #14 0x000000000041cf4d in main (argc=<optimized out>, argv=0x7ffce1ed5fe8) at ../sway/main.c:415 verbose = false debug = false validate = false allow_unsupported_gpu = false config_path = 0x0 c = <optimized out> where event->output->data is NULL: (gdb) p event->output->data $5 = (void *) 0x0 * input/libinput: add scroll_button_lock method Closes swaywm#6987 Co-authored-by: JJGadgets <git@jjgadgets.tech> Co-authored-by: DeltaWhy <mike5713@gmail.com> * render: Use wlroots scale filter * Use wlr_cursor_set_xcursor() wlr_xcursor_manager_set_cursor_image() is deprecated. References: https://gitlab.freedesktop.org/wlroots/wlroots/-/merge_requests/4170 * Use wlr_cursor_unset_image() A bit cleaner. References: https://gitlab.freedesktop.org/wlroots/wlroots/-/merge_requests/4209 * idle-inhibit-v1: simplify with server global We only have a single running server, no need to keep track of multiple server instances. Also no need to support multiple idle inhibit managers. * swaybar: remove the argument of StatusNotifierHostRegistered According to https://www.freedesktop.org/wiki/Specifications/StatusNotifierItem/StatusNotifierWatcher/ there is no argument for the StatusNotifierHostRegistered signal. * Use "default" XCursor instead of "left_ptr" "left_ptr" is the legacy XCursor name. "default" is the cursor spec name. * input: Move wlr_pointer_gestures_v1 to sway_input_manager On multi-seat configurations a zwp_pointer_gestures_v1 global was created for every seat. Instead, create the global once in the input manager, to be shared across all seats. * swaybar: don't set current workspace as not visible When `wrap_scroll yes` is configured and there's only one workspace open, swaybar will mark it as not visible if the user scrolls on it and eventually incorrectly fail the `active->visible` assert. Fix this by making sure that new and current workspace aren't the same. * swaybar: handle wayland-cursor failures Updating the cursor is not essential, so this change prints a warning when wl_cursor_theme_load or wl_cursor_theme_get_cursor fail instead of crashing or exiting. * Send wl_surface.preferred_buffer_scale References: https://gitlab.freedesktop.org/wlroots/wlroots/-/merge_requests/3696 * Calculate tiled resize amount relative to parent container sway should shrinks/grows tiled windows according to parent container for ppt unit for i3 compatibility. Resolves: swaywm#7593 * chase wlroots 'presentation-time: add separate helper for zero-copy ' https://gitlab.freedesktop.org/wlroots/wlroots/-/commit/67447d6cb407ac5b6405b4dbae01a38567feb111 * swaynag: handle wayland-cursor failures Same as 92244c8 ("swaybar: handle wayland-cursor failures") but for swaynag. Closes: swaywm#7671 * Deprecate seat idle_wake Sway has two knobs to control idling: - seat idle_inhibit: when the seat is active (ie. not idle), this extends the active state. When the seat is idle, this is ignored. - seat idle_wake: when the seat is idle, this wakes up the seat. When the seat is active, this is ignored. The motivation for the deprecation is two-fold: - The concept of "seat idle state" is ill-defined. Each idle-notify-v1 client will pass a different idle timeout. With the old logic, a seat was declared idle if and only if all idle-notify-v1 timeouts have expired. However, if only a portion of the timeouts have expired, then some clients would wake up, and the rest would stay active. This is inconsistent with the definition of idle_inhibit/idle_wake: idle_inhibit was used for clients which are waking up. - It never worked properly with the new idle-notify-v1 protocol and no-one noticed. Only the legacy KDE idle protocol is taken into account, but that protocol is not used anymore. * Add Georgian README I am a native Georgian speaker. I have translated sway's README.md * fix crash when resizing tiled scratchpad windows Splitting and then hiding a scratchpad container results in a segfault. fixes swaywm#6693 * Add support for cursor-shape-v1 References: https://gitlab.freedesktop.org/wlroots/wlroots/-/merge_requests/4106 * swaybar: Implement wp_cursor_shape_v1 * swaynag: Implement wp_cursor_shape_v1 * desktop/output: drop logic to handle backend-applied mode The wlroots backends no longer magically apply output modes behind the compositor's back. * desktop/output: drop handle_mode() We already perform the exact same logic on transform/scale change. * desktop/output: fix output manager enabled state With recent wlroots changes, backends which don't support output modes can now support being disabled. We were always marking mode-less outputs as disabled. Stop doing that, check whether the output takes up some space in the layout instead. * output: drop current_mode This is now unused. * Rebase all cursors in handle_surface_map Fix swaylock showing transient cursor after locked. * Move contrib/ to separate repository User-contributed scripts are being moved over to this repository: https://github.com/OctopusET/sway-contrib * chase wlroots!4316 References: https://gitlab.freedesktop.org/wlroots/wlroots/-/merge_requests/4316 * chore: chase wlroots xdg-surface role rework * Fix typo * Hide xwayland_shell_v1 from regular clients Regular clients are not allowed to use this interface. wlroots already sends a protocol error if a non-Xwayland client tries to use this interface, but let's remove all temptation by hiding it completely. * view: update wlr_toplevel size on client resizes If a floating client resizes itself, sway updates several of its internal dimensions to match but not wlr_toplevel. This means that the next time wlroots sends a toplevel configure event, it can have wrong coordinates that resize the client back to its old size. To fix this, let's just use wlr_xdg_toplevel_set_size so the wlr_toplevel has the same dimensions as sway. Fixes swaywm#5266. * Revert "view: update wlr_toplevel size on client resizes" This isn't the right fix for this issue because the xwayland code also uses this function and updating the wlr_toplevel there doesn't make sense and also causes problems. Fixes swaywm#7722. This reverts commit bf44690. * xdg_shell: update wlr_toplevel size on client resizes If a floating client resizes itself, sway updates several of its internal dimensions to match but not wlr_toplevel. This means that the next time wlroots sends a toplevel configure event, it can have wrong coordinates that resize the client back to its old size. To fix this, let's just use wlr_xdg_toplevel_set_size so the wlr_toplevel has the same dimensions as sway. Exactly the same as 0183b9d but the logic is onlly applied to xdg_shell and not xwayland. * Added support for 'set_from_resource' command * Made fallback value for set_from_resource optional * Replaced reference of 'resdb' with 'trawldb' * Renamed sway to sway-regolith * Add and adapt debian packaging from https://salsa.debian.org/swaywm-team/sway * Package rename in changelog * Remove applied patch * Add libtrawldb dependency --------- Signed-off-by: Elyes Haouas <ehaouas@noos.fr> Co-authored-by: Ankit Pandey <anpandey@protonmail.com> Co-authored-by: Erik Reider <35975961+ErikReider@users.noreply.github.com> Co-authored-by: Simon Ser <contact@emersion.fr> Co-authored-by: Ronan Pigott <ronan@rjp.ie> Co-authored-by: Alexander Orzechowski <orzechowski.alexander@gmail.com> Co-authored-by: Elyes Haouas <ehaouas@noos.fr> Co-authored-by: Alexander Orzechowski <alex@ozal.ski> Co-authored-by: hrdl <31923882+hrdl-github@users.noreply.github.com> Co-authored-by: Mukundan314 <30190448+Mukundan314@users.noreply.github.com> Co-authored-by: Kenny Levinsen <kl@kl.wtf> Co-authored-by: Kirill Primak <vyivel@eclair.cafe> Co-authored-by: Artturin <Artturin@artturin.com> Co-authored-by: Shaked Flur <fshaked@gmail.com> Co-authored-by: 33KK <marko@pepega.club> Co-authored-by: Rouven Czerwinski <rouven@czerwinskis.de> Co-authored-by: Cezary Drożak <cezary@drozak.net> Co-authored-by: JJGadgets <git@jjgadgets.tech> Co-authored-by: DeltaWhy <mike5713@gmail.com> Co-authored-by: Hodong <111117126+hodong-kim@users.noreply.github.com> Co-authored-by: Mark Bolhuis <mark@bolhuis.dev> Co-authored-by: llyyr <llyyr.public@gmail.com> Co-authored-by: Manuel Stoeckl <code@mstoeckl.com> Co-authored-by: nukoseer <uygarkoseer@gmail.com> Co-authored-by: Nick Kipshidze <96648005+NickKipshidze@users.noreply.github.com> Co-authored-by: bretello <bretello@distruzione.org> Co-authored-by: ookami <mail@ookami.one> Co-authored-by: Leonardo Hernández Hernández <leohdz172@proton.me> Co-authored-by: luzpaz <luzpaz@users.noreply.github.com> Co-authored-by: Dudemanguy <random342@airmail.cc> Co-authored-by: Soumya Ranjan Patnaik <soumyaranjan1812@gmail.com> Co-authored-by: Regolith Linux <regolith.linux@gmail.com>

../sway/config/output.c:33:21: runtime error: member access within null pointer of type 'struct sway_output' AddressSanitizer:DEADLYSIGNAL ================================================================= ==7856==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000080 (pc 0x63da8558205c bp 0x7ffdc35881a0 sp 0x7ffdc3588160 T0) ==7856==The signal is caused by a READ memory access. ==7856==Hint: address points to the zero page. #0 0x63da8558205c in output_get_identifier ../sway/config/output.c:33 swaywm#1 0x63da855865c3 in store_output_config ../sway/config/output.c:220 swaywm#2 0x63da855d4066 in cmd_output ../sway/commands/output.c:106 swaywm#3 0x63da8547f2e3 in config_command ../sway/commands.c:425 swaywm#4 0x63da8548f3fc in read_config ../sway/config.c:822 swaywm#5 0x63da8548a224 in load_config ../sway/config.c:435 swaywm#6 0x63da8548b065 in load_main_config ../sway/config.c:507 swaywm#7 0x63da854bee8d in main ../sway/main.c:351 swaywm#8 0x77e2ea643ccf (/usr/lib/libc.so.6+0x25ccf) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af) swaywm#9 0x77e2ea643d89 in __libc_start_main (/usr/lib/libc.so.6+0x25d89) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af) swaywm#10 0x63da8547ad64 in _start (/home/simon/src/sway/build/sway/sway+0x372d64) (BuildId: 3fa2e8838c1c32713b40aec6b1e84bbe4db5bde8) Fixes: 1267e47 ("config/output: Refactor handling of tiered configs")

../sway/config/output.c:33:21: runtime error: member access within null pointer of type 'struct sway_output' AddressSanitizer:DEADLYSIGNAL ================================================================= ==7856==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000080 (pc 0x63da8558205c bp 0x7ffdc35881a0 sp 0x7ffdc3588160 T0) ==7856==The signal is caused by a READ memory access. ==7856==Hint: address points to the zero page. #0 0x63da8558205c in output_get_identifier ../sway/config/output.c:33 #1 0x63da855865c3 in store_output_config ../sway/config/output.c:220 #2 0x63da855d4066 in cmd_output ../sway/commands/output.c:106 #3 0x63da8547f2e3 in config_command ../sway/commands.c:425 #4 0x63da8548f3fc in read_config ../sway/config.c:822 #5 0x63da8548a224 in load_config ../sway/config.c:435 #6 0x63da8548b065 in load_main_config ../sway/config.c:507 #7 0x63da854bee8d in main ../sway/main.c:351 #8 0x77e2ea643ccf (/usr/lib/libc.so.6+0x25ccf) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af) #9 0x77e2ea643d89 in __libc_start_main (/usr/lib/libc.so.6+0x25d89) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af) #10 0x63da8547ad64 in _start (/home/simon/src/sway/build/sway/sway+0x372d64) (BuildId: 3fa2e8838c1c32713b40aec6b1e84bbe4db5bde8) Fixes: 1267e47 ("config/output: Refactor handling of tiered configs")

Changed cmd_reload to arrange windows post reload

d570acd

ddevault added a commit that referenced this pull request Aug 10, 2015

Merge pull request #9 from Luminarys/master

accde83

Changed cmd_reload to arrange windows post reload

ddevault merged commit accde83 into swaywm:master Aug 10, 2015

podhorsky-ksj mentioned this pull request Feb 14, 2016

segfault in sway #489

Closed

emersion mentioned this pull request Mar 31, 2018

I3bar json #1690

Merged

nearffxx mentioned this pull request May 25, 2018

wlr/backend/calloc SIGABRT #2039

Closed

martinetd mentioned this pull request Jun 30, 2018

xdg_shell: listen to fullscreen request on map #2180

Merged

nearffxx mentioned this pull request Jul 24, 2018

sway/cursor: SEGFAULT #2345

Closed

wmww mentioned this pull request Sep 17, 2018

Fix crash moving out of tab container #2649

Merged

mek-yt mentioned this pull request Oct 11, 2018

fix: cmd_sticky crash sway with empty container #2821

Merged

defau1t mentioned this pull request Feb 8, 2019

Segfault when switching to stacking layout #3618

Closed

p-hamann mentioned this pull request Feb 24, 2019

Sway crashes when using drag and drop in Qt5 applications #3768

Closed

stsquad mentioned this pull request Mar 20, 2019

Occasional SIGFPE crashing sway #3942

Closed

norcalli mentioned this pull request Apr 2, 2019

Segmentation fault when starting the program "Remarkable" or "nemo" or "servo" #4009

Closed

Emantor mentioned this pull request Jun 2, 2019

desktop: output: fix use-after-free in destroy #4205

Merged

sanga mentioned this pull request Nov 27, 2019

segfault when plugging in a new monitor #4759

Closed

x1125 mentioned this pull request Feb 23, 2020

Blank screen and crash on interaction #5037

Closed

Emantor mentioned this pull request Apr 5, 2020

output: remove damage listeners in damage destroy #5181

Merged

fdlamotte mentioned this pull request May 26, 2020

SIGSEGV when navigating menus in libreoffice (and zim) #5385

Closed

dnfm mentioned this pull request Apr 21, 2021

swaywm segfault when full-screening vnc clients on a headless output. #6213

Closed

This was referenced Nov 29, 2021

segfault in arrange_workspace #6689

Open

segfault in cmd_focus #6690

Closed

froeberger mentioned this pull request Jan 8, 2023

warp_to_constraint_cursor_hint: Handle NULL view #7349

Merged

Emantor mentioned this pull request Jun 14, 2023

gamma_control_v1: handle destroyed output #7636

Merged

wxg4net mentioned this pull request Nov 18, 2023

in rox, creating a new folder operation causes Sway to freeze #7824

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Changed cmd_reload to arrange windows post reload #9

Changed cmd_reload to arrange windows post reload #9

Luminarys commented Aug 10, 2015

ddevault commented Aug 10, 2015

Changed cmd_reload to arrange windows post reload #9

Changed cmd_reload to arrange windows post reload #9

Conversation

Luminarys commented Aug 10, 2015

ddevault commented Aug 10, 2015